Re: Port-Knocking vulnerabilities?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-12-31 Jay wrote:
> On Sat, 29 Dec 2007 14:28:53 +0100 Ansgar -59cobalt- Wiechers wrote:
> > On 2007-12-28 Jay wrote:
> > > Portknocking is a security mechanism as it is a type of
> > > authentication. "Something you know" in this case the sequence of
> > > ports to knock before a unstarted service or daemon begins listening
> > > for connections.
> >
> > Since everything is transmitted in the clear port-knocking is as much
> > of a security mechanism as cleartext passwords. Technically: maybe
> > (depending on your definition). Realistically: no.
>
> Is portknocking a weaker security mechanism. Does that discount it
> completely.
>
> Telnet and ftp our clear text. Just because something can be defeated
> doesn't mean it loses 'all' its classification

Does anyone out there actually consider telnet or FTP to be even
remotely secure? No? Then what makes you think you have a point here?

> A door is meant to provide some defense to the outside of your house.
> I can certainly bash it in with a sledge hammer. It still serves its
> purpose as a layer of the defense.

Bad analogies can't replace actual arguments.

> Again we are talking about security basics here. You can say it isn't
> viable or is inherently weak. But the way it is implemented its used
> for authentication. Plain and simple.

However, depending on how the authentication mechanism is designed and
implemented it may or may not count as a security measure. Plain and
simple.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq