Single Packet Authorization
Single Packet Authorization provides similar security benefits to port knocking in terms of protecting services with a packet filter that is configured in a default-drop stance. Anyone scanning for a target service that is protected in this way will be unable to detect such a service is listening, and this makes even the exploitation of zero-day vulnerabilities much more difficult. SPA offers elegant solutions to many limitations in port knocking implementations. These allow SPA to solve the replay problem, achieve a data transmission rate that makes the use of asymmetric encryption possible, thwart simple spoofing attacks and remain under the radar of intrusion detection systems that are monitoring networks for port scans.
See next month's LJ for Part II to this article, which will show exactly how to use SPA.
Krzywinski, M. 2003. “Port Knocking: Network Authentication Across Closed Ports”. SysAdmin Magazine 12: 12–17.
ElGamal Encryption: en.wikipedia.org/wiki/ElGamal_encryption
There is only one other SPA implementation that I am aware of at the time of this writing, available at www.unspecific.com/spa.
Another implementation called Tumbler (tumbler.sourceforge.net) employs a single packet, but it uses a hashed payload instead of an encrypted payload, and this results in a significantly different architecture.
fwknop documentation and man pages: www.cipherdyne.org/fwknop/docs
Michael Rash holds a Masters' Degree in applied mathematics with a concentration in computer security from the University of Maryland. Michael is the founder of cipherdyne.org, a Web site dedicated to open-source security software for Linux systems, and he works as Security Architect on the Dragon Intrusion Detection System for Enterasys Networks. He is the author of the upcoming book Linux Firewalls: Attack Detection and Response, published by No Starch Press.
|openHAB||Apr 24, 2017|
|Omesh Tickoo and Ravi Iyer's Making Sense of Sensors (Apress)||Apr 21, 2017|
|Low Power Wireless: 6LoWPAN, IEEE802.15.4 and the Raspberry Pi||Apr 20, 2017|
|CodeLathe's Tonido Personal Cloud||Apr 19, 2017|
|Wrapping Up the Mars Lander||Apr 18, 2017|
|MultiTaction's MT Canvus-Connect||Apr 17, 2017|
- Teradici's Cloud Access Platform: "Plug & Play" Cloud for the Enterprise
- The Weather Outside Is Frightful (Or Is It?)
- Understanding Firewalld in Multi-Zone Configurations
- Simple Server Hardening
- Low Power Wireless: 6LoWPAN, IEEE802.15.4 and the Raspberry Pi
- Non-Linux FOSS: Control Web-Based Music!
- Buddy Platform Limited's Parse on Buddy Service
- Linux Journal February 2017