Posted by: Anonymous Coward
on August 10, 2004 11:28 PM
The article is well-written and the author makes a defensible argument. Here are my responses to the other initial responders:
1) "So go on then, write your better solution....."
Maybe he will, or has. However, alerting the public to problems with port knocking is valid regardless of whether or not the author has developed something better.
2) "Where does your figure of "1/10th the chance of success" come from?"
Did you read the article? The author is making an illustration, and started by saying "Say it is running on 10% of all servers." His point is that if port-knocking was to become widespread, attacking it would become part of the arsenal of the attacker, which would eliminate the main benefit of port-knocking (the fact that it is difficult to detect if it is in use). And I think you dismiss the author's 'security through obscurity' argument too quickly -- a little "extra" security may in fact NOT be better if it misleads the user into thinking that it provides more security than it actually does.
3) "Your 10% break-in figure if 10% of servers are using port knocking assumes that all port knocking implementations will be insecure."
No, the author does not assume that. The author assumes that if port knocking becomes widespread, say to the point that 10% of all servers use it, then 10% of the time an attacker will find that his port-knocking attacks were worthwhile. For example, say that a cracker has a port-knocking crack that works 5% of the time. If the cracker applies that crack to every server he wants to compromise, then 10% of the time the crack will be meaningfully used, and 5% of those times it will actually be effective. Therefore,<nobr> <wbr></nobr>.5% of the time the crack will work on a randomly-selected server. This means that the cracker now knows that 1 in 200 servers will be successfully compromised by the port-knocking attack.
Of course, hopefully this is just the first security layer in the compromised server's onion, but the author knows that. The point is that if you can assume that a certain number of servers implement port-knocking, the 'advantage' of being undetectable is largely mitigated.
4) "Reminder: There is nothing wrong with "security through obscurity", it's "security only through obscurity that's a bad idea."
I disagree. Any "security through obscurity" carries with it the risk that the user has an over-inflated view of how secure his server is. For example: burying a needle in a haystack may make someone think that "no one will ever find the needle, how can they even know it is there?" This individual will be easily compromised by the first guy that comes along with a high-powered metal detector.
Is "security through obscurity" better than nothing? In most cases, yes. However, it has a risk associated with it, and users should be cognizant of that risk.