Use port knocking to bypass firewall rules and keep security intact

While they add an extra layer of network security, firewalls can often inhibit the proper administration of an organization's network. How can you get past firewall rules without compromising security? One method is port knocking. Find out how port knocking works, see why some people argue that this method isn't true security, and learn why port knocking sometimes presents its own security concerns.

Firewalls are a long-standing basic security measure that organizations use to isolate networks from the Internet. Whether it's a stand-alone hardware firewall, one of the various host-based systems such as ZoneAlarm, or the Windows Firewall system included with Windows XP Service Pack 2, these devices go a long way toward protecting networks from unwanted traffic, including viruses, Trojans, and hackers.

However, while firewalls add an extra layer of network security, they can often inhibit the proper operation or administration of a computer system or network hardware. For example, firewalls typically present a problem when vendors require Internet access to an organization's internal computer system, a particularly common occurrence when it comes to support requests.

But granting such access can conflict with the company's established security policies. With HIPAA and Sarbanes-Oxley legislation inciting panic in offices across the United States, many administrators are simply denying all firewall rule exceptions and installing hard-line modems for remote access. In fact, this approach is often more simple than messing around with firewall rules or sending repeated requests for security policy changes or user account additions.

Of course, there are also instances in which a host must connect to the Internet itself. This is the case for UNIX-based firewall systems because the UNIX host is the firewall. One way to improve security on such open hosts is to only enable the services after establishing some manner of identification.

The security issue here is how not to expose specific network services—typically remote access via OpenSSH or even a Web-based administration GUI—until an authorized person has specifically requested access. Then, the specific IP address unlocks the services and temporarily grants access. It's certainly not a new idea, and I've used this technique in one way or another for several years.

However, I now use a method that allows me to access any of the UNIX systems I work on from anywhere—without having to access my workstation first. Known as port knocking, this approach allows an administrator to temporarily bypass firewall rules in order to gain access to an internal system (typically UNIX-based).

Port knocking is the computer equivalent of a combination lock, where the proper "combination" unlocks a specific TCP or UDP service for remote access. The proper combination makes the requested service visible from a specific IP address; otherwise, it remains hidden.

Implementing port knocking on a computer system is specific to each package, but the functionality is similar. I use port knocking to enable OpenSSH, which grants me shell access to the UNIX hosts I maintain. Many packages are available, and I use Debian's knockd package.

Some port knockers rely on sending data to specific UDP and/or TCP port numbers, others use ICMP messages, and some require a specialized client application that uses strong encryption to send the unlock sequence. The important thing to remember is that the concept of port knocking is to "unlock" and enable access to a TCP or UDP service for a specific IP address. Depending on the service, you'll probably still need some form of authentication.

Of course, keep in mind that the protection provided by a port knocker is to hide the specific service until it's unlocked. Some security purists insist that this isn't true security—rather, they say it's "security through obscurity." But remember that security through obscurity is a natural defense mechanism—if it wasn't effective, we wouldn't see so many examples of it in nature.

Despite these objections, I use port knocking to protect my UNIX systems when I must connect them to the Internet. With brute-force attacks on SSH occurring frequently, I'm more than happy to hide my remote access services behind a port knocking system: It just works.

I'm somewhat surprised that this method of security took so long to emerge, and I hope that Internet security companies are taking note so they can improve on the concept and add such features to new products. The port knocking technique applies to all manner of computer systems and network equipment, whether they're on the public Internet or hiding behind a firewall.

There's no doubt that VPNs are the best choice, but sometimes they're just not an option. In those cases, port knocking is a good alternative to provide simple and effective security.

Ironically, one indication that the port knocking method has merit is the fact that some hackers are already using it to gain access to previously compromised systems. In addition, port knocking is a potential way for Trojans to establish a connection to a networked computer that has no open ports. Therefore, it might be a good idea to restrict port knocking to situations in which alternative methods of access control are impossible to implement.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks

Free Newsletters, In your Inbox