Daniel Underwood wrote:
A port-knocking sequence is really nothing different than a shared password.

Technically and conceptually, that's true.  But "practically", I'm not
sure you're right.  If in addition to attempting to enumerate the
space of possible passwords, an attacker also enumerates the space of
possible port-knocking sequences, then, yes, you're right.  But I am
willing to bet that the vast majority of attackers DO NOT attempt
this.  For this reason, I think well-designed port-knocking DOES add
significant strength to the server.

You're right, as long as port-knocking as a first pass authentication scheme is not in wide spread use, then any attackers will not waste time port-knocking. If ever port-knocking becomes common, attackers will adapt and start knocking. Or: if you want to keep port-knocking useful then don't recommend it to anyone!

I think it is a bad idea, a wrong route to go. I think that there are so many other options for improving security that are well tested, much easier to deploy, cause less user annoyance etc etc.

Since, as said, the knocking sequence is a shared secret, the more users you have the more likely it will be disclosed, and the more difficult it is to distribute new knocking sequences as more users are affected.

More complexity, more possible failures and errors means more resources spent on user support, and more resources spend on configuring the new "toy". Resources that could be well spent on improving actual security and monitoring actual threats.

You may deploy port-knocking at home for your own curriousity, but it has no value on your curriculum.

BR, Erik
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to