Monty J. Harder wrote:
"Gerald Combs" gerald@ethereal.com wrote:
There's also "port knocking": http://www.portknocking.org/ . In order for the firewall to open up port 22, you would have to send a special sequence of packets, e.g. attempt to connect to a specific combination of ports in a specific order.
It's an interesting idea, but I think it's in the category of 'security through obscurity'. I think it would be cleaner to just send a UDP packet, containing within it certain authentication information (including a timestamp), digitally signed with a private key, that would give pretty high confidence that you are legit before the TCP socket ever is opened.
I think this what they do, only the authentication information is spread across the "knocks." If I understand their documentation correctly, a table is created that maps byte values to port numbers. To send a message, you have to knock the port corresponding to each byte in the message, in the proper order.
I'm not sure I'd use something like this. If I needed a port opened dynamically in this fashion, I'd probably use a browser-based certificate to authenticate against a CGI which could open up the port. It does have a certain "1337" appeal, though.