This chapter and Chapter 12 have illustrated powerful techniques in computer security, showing how a server can be protected by a default-drop packet filter, through which access is granted only to clients able to prove their identities to a passively monitoring device. Port knocking was the first technology to implement this idea, but due to some serious limitations in the port-knocking architecture (including the difficulty of adequately addressing the replay problem and the inability to transmit more than a few tens of bytes), SPA has proved itself a more robust technology. The notion of an authorizing Ethernet sniffer combined with a default-drop packet filter is a relatively new one in the computer security field, but it seems that new implementations are springing up every day.9
Based on iptables, fwknop is an open source implementation of SPA that provides a flexible mechanism for managing multiple users within the SPA paradigm.
9 There is even a project to put HMAC-based SPA directly into iptables; see http://svn.berlios.de/ svnroot/ repos/portknocko, and a discussion thread in the Netfilter development list archives, http://lists.netfilter.org/ pipermail/netfilter-devel/ 2006-0ctober/thread.html.
Was this article helpful?