Re: Port-Knocking vulnerabilities?

[Brent Huston <lbhlists () gmail com>]

I can't help but wonder why, if you were going to go through all of  
the trouble of having some cryptography-based mechanism as described  
in this thread as a modern port knocking system, you would not just go  
ahead and deploy a regular, standards-based, regulatory compliant VPN  
installation?

I mean, if you are going through all of the normal key management  
functions, crypto overhead and special client implementation issues,  
why not just get yourself a VPN connection that will pass review,  
audit and assessment? I would certainly not want to have to explain  
the technical, theoretical or perceived security advantages/risks of  
port knocking to an auditor or the like. Nor would I want to have to  
detail it in a report to upper management.

It seems to be that security and simplicity often go hand in hand, so  
why not just skip the kludge and get yourself something without all of  
the perceived issues?

Just because something can be done, doesn't always mean it should...