Single Packet Authorization
Single Packet Authorization provides similar security benefits to port knocking in terms of protecting services with a packet filter that is configured in a default-drop stance. Anyone scanning for a target service that is protected in this way will be unable to detect such a service is listening, and this makes even the exploitation of zero-day vulnerabilities much more difficult. SPA offers elegant solutions to many limitations in port knocking implementations. These allow SPA to solve the replay problem, achieve a data transmission rate that makes the use of asymmetric encryption possible, thwart simple spoofing attacks and remain under the radar of intrusion detection systems that are monitoring networks for port scans.
See next month's LJ for Part II to this article, which will show exactly how to use SPA.
Krzywinski, M. 2003. “Port Knocking: Network Authentication Across Closed Ports”. SysAdmin Magazine 12: 12–17.
ElGamal Encryption: en.wikipedia.org/wiki/ElGamal_encryption
There is only one other SPA implementation that I am aware of at the time of this writing, available at www.unspecific.com/spa.
Another implementation called Tumbler (tumbler.sourceforge.net) employs a single packet, but it uses a hashed payload instead of an encrypted payload, and this results in a significantly different architecture.
fwknop documentation and man pages: www.cipherdyne.org/fwknop/docs
Michael Rash holds a Masters' Degree in applied mathematics with a concentration in computer security from the University of Maryland. Michael is the founder of cipherdyne.org, a Web site dedicated to open-source security software for Linux systems, and he works as Security Architect on the Dragon Intrusion Detection System for Enterasys Networks. He is the author of the upcoming book Linux Firewalls: Attack Detection and Response, published by No Starch Press.
|Privacy Is Personal||Jul 02, 2015|
|July 2015 Issue of Linux Journal: Mobile||Jul 01, 2015|
|July 2015 Video Preview||Jul 01, 2015|
|PHP for Non-Developers||Jun 30, 2015|
|A Code Boot Camp for Underprivileged Kids||Jun 30, 2015|
|Comprehensive Identity Management and Audit for Red Hat Enterprise Linux||Jun 29, 2015|
- Privacy Is Personal
- PHP for Non-Developers
- Secure Server Deployments in Hostile Territory
- Linux Kernel 4.1 Released
- Django Templates
- July 2015 Issue of Linux Journal: Mobile
- Comprehensive Identity Management and Audit for Red Hat Enterprise Linux
- A Code Boot Camp for Underprivileged Kids
- Attack of the Drones
- Practical Books for the Most Technical People on the Planet