Any windows firewall with knock capability?

did anyone come across a Windows firewall with knock capability?

Cheers,
OM

 

knock, knock, who's there?

 

I only know of the iptables and ipfw module. Is that what you're referring to? Port knocking?

EDIT: See here

 

Hacker


.

 

Hacker who?

 

Yes. I already use knockd and its "associates" ;-) on in linux/iptables, but was looking for similar functionality on Windows platform. Looks like tough luck... judged by the rest of responses...

EDIT: Good link Pedro. As said, I already use knockd, but was not aware of Win client. Still, I'd expect some pain in telling my Win firewalls what to do upon knock sequence is received and recognized i.e. I'd need some sort of command line for each of Windows firewalls on my test machines... But we got no documented CLI's for any Win firewall I'm aware of, with the exception of CHX. Hmmm...

As for "knock, knock" joke above, just think about it for a moment: might be you're already using it... in your modem/router (assuming it's running linux based firmware). Implication here is that one would never know someone accessed their LAN with the blessing from your router firewall (backdoor ;-)). Now, that'd be a good "knock, knock" joke... Anyway, I digress...

Cheers,
OM

 

The only one I know of for windows was an addon for CHX-I

 

I tried this in google -


"iptables + Firewall + similar functionality in Windows"

and got this - https://www.wilderssecurity.com/showthread.php?t=112582 - Any Firewall Similar To IpTables For Windows?

Hope this is of assistance to you.

 

Stem,
thanks. Add-on? I'll look at that.
I would hope some newer, application monitoring capable firewalls would include this capability soon. Perhaps one should ask in order to receive .

Tarnak,
Yes, I checked Core Force some time ago, but didn't like it (for some reason I only register that part ). Thanks .

Cheers,
OM

 

Are you looking for a firewall that runs on windows that is capable of responding to port knocks before it opens a port for inbound connections, or are you looking for a firewall that will perform port knocking before establishing a remote connection.

I could see that if (for example) you had an SSH server running on your linux box, it would be cool if your firewall could detect the SSH connection attempt and do the knocking for you.

 

http://sourceforge.net/projects/knockknock/

 

MikeNash,
that'd be correct - looking for a Win firewall that can detect and process knock sequence. That's exactly what I do on my linux boxes - have a daemon/service monitoring incoming and does what it's told to do (in my case opens or closes ssh port).
But it'd be all to nice if a firewall can do it all - to generate AND accept port knocking business. Right now I'm using ssvnc on both platforms but only to connect " to linux". Connection "Windows to Windows" or "Linux to Windows" via port knocking is what I'm looking for at the moment.

Stem,
well, there you go - spot on! Thanks! Played with it? I do like CHX approach, but need app controll, too. Nevertheless, I think I'll give it a go.

Thanks and cheers,
OM

 

CHX-I, well any trouble you get, you're in luck, Stem can help you.
Note that it's discontinued though.

 

Funny thing, but Online Armor has its FW log in a text format, so in case you can write programs there is no problem to write your own log interpreter and implement whatever action you wish

 

But the trick is not being able to read the log, but actually manipulate the firewall to allow you to accept connections originating only from the IP who started the knock sequence, then have the knock time out or have a knock sequence that will close it. Does Online Armor have a command line access that would allow easy scripting of this because then it would work pretty easily (actually any firewall that saves its logs in a human readable format that can be parsed and allows for the firewall to be changed off of scripting would not be too hard to implement port knocking for)

Cheers,

Alphalutra1

 

I do hope it has not command-line and scripting control, because I think such a control would be a potential security hole. But as long as it is application-oriented it has all the ports stealthead until autorized application starts to listen authorized port. Then it is your script responsibility to start this application and provide it with the data extracted from the log. It can just open "listen" or "connect" socket only for ip specified by your script for this session. After the session is over your application exits and all the ports are stealthed again. IMHO such a scenario is pretty secure, at least in the extent your application does not have a security hole inside itself. But then it is your responsibility to provide it

 

And that must be why some of the most robust, secure, and widely used firewalls in the world only use command line and scripting to control them.

By the way, you may need to look up what port knocking is. It is a way to make it so that an application that has to listen constantly (such as sshd) will not be exposed to the entire world, but only to a host after it sends a series of packets that the firewalls blocks and picks up on, then will the firewall create a rule only allowing data to flow into the port from that IP. This means that the port is still just as available for access and that the application can constantly listen to it, but there is a secret "code" of packets that will allow the door just to be opened for that one IP address. It is a way to prevent many brute force attacks that frequent everyones ssh logs (oh I love the attempted logins with the username "fluffy" those always crack me up...), while still making it so that ssh is available. So though it has a debatable role in security, it can help prevent dumb scripting based attacks, but the service should still be properly secured at all times.

Why does it need to provide it with the data from the log? Also, you are completely getting rid of the benefit of port knocking. The application is still listening to the port and accepting connections from everywhere and will appear open to everyone once it is started by the script. The point of port-knocking is to make it appear invisible and visible ONLY to the person with the correct combination.

How are you going to implement this for every single app, especially since many that listen are configured by a conf file, so you would have to reprocess the file everytime before you started it, or even restart it to reconfigure the changes. This is impractical, and not every application supports this. The firewall is in charge of saying who can and can't connect, that way bad packets never hit the service which could possibly be vulnerable.

BTW, to answer the OP, the only firewalls I only know of with apps to make it support port knocking is CHX-I, but you could probably do it pretty easily with WIPFW (no app control though)

Cheers,

Alphalutra1

 

Secure ? It depends on what you call "secure". It may be secure when installed on the server which is locked into the iron box, but when installed as a personal firewall it turns to be completely insecure. Just because any malware can disable it through the commandline.

Ahh .. I can read and I did it before to answer

This depends on how a service is implemented. For one it can "connect on demand". This is the most secure scenario I think, but it can be impossible in a general case just because you access it from a point where it is impossible to have real IP. For two, with app-oriented FW you can predefine some restricting rules. Though, you need to know a list of the allowed remote IP here. So you are right, this way is not completely flexible, so it is flexible enough for the most practical situations.

I see. And I agree that to impelment it in a fully flexible way you need a FW that can be operated by some kind of automation. But .. but this contradicts with a full security concept Either way is insecure in that or other way. But I do not regard short-time visibility more insecure than a risk to get FW to be operated by unexpected offender. The only way here is to lock your server into the iron box while you are out and to have some other application to control the both, your FW and automation process. Security is such an endless fun, and the main problem is complete security is just not possible

I think this is not too difficult thing to do (knocking support). But most personal FW vendors just do not care about this very specific task which also can compromize security. This I think would be more natural task for network operating FW, or to be more accurate for the "router".

 

No, OA does not have any sort of commandline access.

The geek in me wants to implement port knocking (both consuming remote services that require a knocking sequence and providing port knocking security) but we've soooo many more things to do, I just can't justify the time right now...

 

MikeNash:
I knew you'd want to chew this one... But, understand you got priorities.

Alphalutra1:
Once your knock sequence causes your firewall to open, say, 22, then you can login and close it manually or via startup scripts. Effectively, your 22 is again closed to wan/lan - except to you - because it is an *established* connection (easy to set in iptables and some win firewalls). Quite useful. One is then open only to MITM technique, but on ssh connection... need I say more...

Sure, one should have the port closing sequence fired up upon logout - if not closed as above.

Cheers,
OM

 

Once malware is on your side, you're, kinda, already compromised. But if it's not, then malware would:
1. need to know your knocking sequence (easily randomized - recommended afaik)
2. need to know password to gain access (if secure port is used - which should be a no brainer you'd like to use)
3. pass all other layers (you do multilayer your defense, do you?)
4. etc.
Don't forget that malware doesn't need cli to be malware. 99% of it (no proof ) is non cli, anyway.

Not quite. See my response to Alphalutra1 in message above. You might be underestimating usefulness of this approach and overprojecting it's security ramifications.

I'd say most WinOS (R) vendors don't even know about it, since it's *nix concept. Though, one smart guy on this page already has plans to implement it... (I'm not saying NO vendor knows about port knocking. Just MOST).

Cheers,
OM

 

Of course, that was stupid of me, sorry . If the connection is already being tracked in the state table, then the rule can be stopped without flushing the state table and stopping it from tracking the connection.

Well, that is why most ssh clients warn you and ask if you should proceed if the server has changed its RSA signature, so as long as you don't be stupid and just hit yes if the popup ever occurs, then I think you should be good to go with the security record of ssh

Cheers,

Alphalutra1

 

Alphalutra1:

 

OK, ok. I just want to note this is the link of the same chain. Users don't need -> vendors don't know (don't care)

 

I'd call it evolution. Some users do need -> some vendors do care... It might not be *yours*, but there's an increasing need to securely access remote machines. Mind you, as said above, it's a well known and used concept over the fence in linux/unix dimension.

Out of interest, how do you access remote/wan machines?

Cheers,
OM