Introduction

30 years ago, very few companies depended on computers to successfully control their operational processes. Only banks and armies needed computer networks to exchange data. The rest would simply need paper, the traditional mail delivery service and a telephone line. All work was done by employees and machines were only used in big factories. Over the years, that situation changed. As technology evolved, business models changed and today, in the 21st century, most companies depend on technology to stay in the market. But not only they need technology to survive, they need reliability and effectiveness. Such things would not be very difficult targets to reach if security issues did not exist.

The reality is that the networked world we live in is full of threats and now companies need to secure what they depend on in order to prevent problems that could cost them huge amounts of money.

Now, virtually every company needs its own network servers, desktop computers and workstations to operate. All those devices tend to be networked and while this allows more complex and effective uses of technology, it adds certain risks.

Usually network servers provide all kinds of services. Some of them are oriented to the general public like Web, FTP or E-mail, and some others like remote management or database access are usually reserved for system administrators or people within an organization. The problem is that to use a remote service, a port for it must be open no matter who is going to use it. The usual solution is to use a firewall to limit the IP addresses that can connect to a given port. The firewall receives all the information and accepts or rejects packets looking at their source address. Unfortunately, in many cases, it is not possible to know in advance which IP addresses users will be using and even if that was the case, it would be impossible to determine if the person behind a particular address is a legitimate user or a malicious attacker.

Traditionally, services running behind open ports implement their own authentication systems to separate authorized users from those who are trying to access restricted services without authorization. This solution is perfect as long as those authentication systems do not have any security flaw that allows attackers to circumvent security measures and access that particular resource. Unfortunately most software products have vulnerabilities and now system administrators can not rely on the security provided by software manufacturers. Thousands of bugs that could be exploited by malicious attackers have been found in all kinds of software. Those bugs are often fixed months or even years after they were made public so the window of exposure for a particular vulnerability can be very high.

Now that businesses depend on the reliability of their servers, critical systems need additional layers of security to prevent zero-day exploit attacks against running services. The perfect solution would be to have all ports of a system closed and somehow open them for legitimate users. This is what Port Knocking and Single Packet Authorization try to achieve.

Port knocking and SPA are relatively new techniques in the field of network security. Their main objective is to allow users to open or close the ports of a system remotely. This is achieved by using a client that sends a specific sequence of connection attempts targeted to a set of pre-specified closed ports on a listening server. The server listens to the packet flow on a network interface or continuously checking the system firewall log for incoming connection attempts. Once a correct sequence of packets is detected, the server contacts the system firewall and instructs it to open a specific port for a particular IP address.

At the moment, Port Knocking and SPA are techniques that are still being discussed by security experts and academic researchers. Their popularity is constantly increasing but their use has not yet been widely adopted.

This page will introduce Aldaba Knocking, an open source client/server tool that implements a complete Port Knocking and Single Packet Authorization system for GNU/Linux.

Aldaba allows a client to manipulate firewall rules remotely by sending a specific sequence of packets with encoded information to a listening server. In general terms Aldaba Client needs to send to the server an IP address, a port number and an action to take (open or close). That information needs to be transferred securely so eavesdropping does not give attackers any useful information and needs to be transferred stealthily so it does not become obvious to anyone that the system is running a port knocking server. Aldaba provides that functionality by using encryption and TCP/IP-based covert channels.

Additionally, instead of relying on the accuracy and availability of firewall logs, Aldaba server captures all the packets that flow though a network directly from a network interface and processes them in real time, in order to find a pattern that matches a pre-defined knock. Once a valid knock is received, a customizable script is executed and the specified port is opened or closed.