Loading
Single Packet Authorization
Single Packet Authorization fills the gaps in port knocking.
Single Packet Authorization provides similar security benefits to port knocking in terms of protecting services with a packet filter that is configured in a default-drop stance. Anyone scanning for a target service that is protected in this way will be unable to detect such a service is listening, and this makes even the exploitation of zero-day vulnerabilities much more difficult. SPA offers elegant solutions to many limitations in port knocking implementations. These allow SPA to solve the replay problem, achieve a data transmission rate that makes the use of asymmetric encryption possible, thwart simple spoofing attacks and remain under the radar of intrusion detection systems that are monitoring networks for port scans.
See next month's LJ for Part II to this article, which will show exactly how to use SPA.
- « first
- ‹ previous
- 1
- 2
- 3
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- Designing Electronics with Linux
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Dynamic DNS—an Object Lesson in Problem Solving
- Using Salt Stack and Vagrant for Drupal Development
- Build a Skype Server for Your Home Phone System
- New Products
- Why Python?
- A Topic for Discussion - Open Source Feature-Richness?
- Validate an E-Mail Address with PHP, the Right Way
- Tech Tip: Really Simple HTTP Server with Python
- Understanding the Linux Kernel
2 hours 9 min ago - General
4 hours 39 min ago - Kernel Problem
14 hours 42 min ago - BASH script to log IPs on public web server
19 hours 9 min ago - DynDNS
22 hours 44 min ago - Reply to comment | Linux Journal
23 hours 17 min ago - All the articles you talked
1 day 1 hour ago - All the articles you talked
1 day 1 hour ago - All the articles you talked
1 day 1 hour ago - myip
1 day 6 hours ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Comments
fwknop and SELINUX on FC6
I can't seem to implement the fwknop daemon on FC6 with SELINUX running. Has anyone come up with a policy that allows iptables to write to the /var/log/fwknop directory? Disabling SELINUX is not an option here, but might be for others.
Michael Rash
Although I haven't run fwknop on an SELINUX system, I would think that if you have apache or mysql installed and running, then you could use the same SELINUX policy settings that are applied to those daemons. They also write to directories like /var/log/apache2 and /var/log/mysql. In fwknop, the fwknopd and knoptm daemons need to write to files in /var/log/fwknop, and all three of fwknopd, knopwatchd, and knoptm daemons need to write to files in /var/run/fwknop/.
original?
Think this USENIX article should be listed in the references!
Single Packet Authorization with Fwknop by Michael Rash
ok ok...
my mistake... its the same guy
Moron
Drool on your keyboard much?
16 bytes of random data?
>Every SPA packet is prepended with 16 bytes of random data before being
>encrypted, and then upon a successful decrypt by the fwknop server, the
>MD5 sum of the entire packet is cached.
Assuming the attacker can encrypt packets, does this provide any additional security? Couldn't an attacker just replace the first 16 bytes with their own arbitrary data?
Caching the MD5
Perhaps I'm missing something, but how long must you keep previous MD5 hashs lying about to compare every new packet received? It would seem that if someone replayed after the MD5 cache was purged/recycled you could replay the message. True?
Re: Caching the MD5
By default fwknopd also requires that SPA packets are not older than two minutes (see the MAX_SPA_PACKET_AGE variable in the /etc/fwknop/fwknop.conf file), so even if the MD5 sum cache is removed, this is of little use to an attacker. Note that the SPA age is determined from a time stamp that is included within the encrypted SPA message, so even if an attacker intercepts an SPA packet the original time stamp cannot be changed.
The packet is encrypted and
The packet is encrypted and the attacker doesn't have your private key. If he tries to change a single bit, the entire packet will be rejected as garbage.
Of course, if whitelisting
Of course, if whitelisting is used then potentially some of this is effectively a moot point, is it not?
Well, the description of SPA
Well, the description of SPA says that two methods can be used for encryption: Rijndael symmetric block cipher or the asymmetric ElGamal algorithm.
If you're using symmetric crypto, obviously you have to provide the key to every client that will need access. (Possibly a bad idea if there are multiple clients.) If you're using asymmetric crypto, the attacker doesn't need your private key to encrypt messages - just your public key. In this case it is feasible that an attacker could encrypt their own packets.
The random data just prevents replay attacks (using captured packets that were previously encrypted).
Re: Well, the description of SPA
Hello - If asymmetric crypto is used, then the fwknop SPA server requires that that SPA packet is cryptographically signed by an approved client private key. So, it is true that an arbitrary client can encrypt an SPA packet with the server public key (which is published to the world), but the SPA server will reject it because it is not also signed. Part II of this article will illustrate this, but in the meantime here is a howto for using GnuPG for SPA encryption. Note the GPG_REMOTE_ID variable in the SPA server config specifies the client key ID's that must sign an asymmetrically encrypted SPA packet.