Posted by: Anonymous Coward
on August 10, 2004 07:58 PM
You come across as being a bit confused. Where does your figure of "1/10th the chance of success" come from? How does port knocking reduce the chance of success by 9/10ths - or is that supposed to be just an example figure?
Your choice of words about layers of an onion is interesting. It's true that creating multiple layers of security can still leave a single gaping hole, but the fact that port knocking is a completely seperate measure means this is quite unlikely. If there is some security flaw in OpenSSH, then it's surely better to also have a port-knocking implementation in between your machine and potential attackers...?
Granted, it would be foolish to rely on port knocking as the sole means of protection. It would be foolhardy not to patch your various servers to fix security flaws in the belief that your port knocking would keep you safe, but on the other hand, having up-to-date servers and an otherwise credible security policy *in addition* to port knocking would be a good way to go.
Also I find fault in your "security through obscurity" argument. The mistake is that you are assuming that port knocking is a form of this, but it is not. It doesn't matter if an attacker knows if you are using port knocking techniques - even if you posted this particular fact on your blog - the point is, it's still that little bit harder for an attacker to crack your system.