DEV Community

YounesZn
YounesZn

Posted on

The Speakeasy Door to Your Network - Port Knocking (1)

Introduction

It's undeniable that the only truly secure system is one that's powered off. But let me tell you, you might as well throw that system away, because from the birth of the internet, every system has been created for a purpose—and that purpose forces it to be exposed publicly and made available to external users, whether it’s for patching, transmitting data, or enhancing functionality. This exposure may be selective, or it may not be, because some systems must be accessible to anyone, from anywhere.

The dilemma that comes to mind now is: if anyone can access such systems, then where on earth is privacy and security?

Well, humans, being smart, standardized the terms authentication and authorization. These are the key concepts that safeguard our data, preventing unauthorized access and keeping it from being compromised. These concepts are primarily managed by the service or system itself, ensuring that before any access is granted, the user must authenticate in one way or another (passwords, two-factor authentication, security questions ...) .

It seems like a good approach, but sadly, it’s not that simple. Let's imagine a network with thousands of services, placing trust in devices that may not be secure by design to handle authentication is a significant risk.


Firewalls Are Life Savers

Here come Firewalls: Instead of allowing every user the possibility to access our network and authenticate, why not restrict access to only trusted users? By applying a set of rules on the first device accessible in the network, the firewall, we can selectively accept or deny connections based on criteria such as the source IP address, port numbers, and protocols used.
So, finally, we can say our infrastructure is now safer than ever.

However, never be naive, there are several attacks that attackers can use to bypass firewall rules. Once a rule authorizes a certain type of access, attackers can potentially exploit that opening, and—hoopla!—here's the initial foothold they’ve been waiting for.

So, the hero of our story is already defeated before the battle even begins, thanks, firewalls! -_-

Come on, firewalls aren’t that fragile! We can take advantage of the fact that they are often the first accessible devices in our network and cleverly play with firewall logic to build a more secure infrastructure.

For that, there are many innovative ways to implement logical solutions that guarantee a secure network. One of them is the Port Knocking method.


Port Knocking - The concept

Long story short, imagine an infrastructure where certain services are completely inaccessible to everyone—except the users we choose to authorize. To gain access, these users must demonstrate a specific behavior or follow a unique pattern that we can detect. So, we say, "Ah, that's our guy—let them in!".

Image description

In general, the concept is to give the user we want to authorize a secret series of steps to execute in order to gain access to a service.

As an example, consider an infrastructure that includes an SSH server. The firewall blocks all access to the SSH server on port 22. However, if a user sends packets to a specific sequence of server ports—such as (1234, 5678, 3456) in our case—and in the exact order, it triggers actions on the firewall.

The firewall, which is always listening for such a sequence, then temporarily opens port 22 for a limited time. If no connection is made during that window, the port automatically closes again, maintaining security.

Inside the mind of an attacker, this security approach still has its weaknesses. All it takes is to sniff the secret sequence from the network and mimic it to gain access. Worse yet, imagine if the trusted user's IP address belongs to a shared resource, like a public WiFi hotspot. The external IP, which acts as the source address from the NAT provider, would need to be opened. At that point, any user of the hotspot could access the same service without needing to replay the sequence.

Stay tuned for the next part, where we’ll explore how to defend our port knocking logic with secure implementation techniques and a Go-based server as an example. You won't want to miss it!

Top comments (0)