Any windows firewall with knock capability?

Discussion in 'other firewalls' started by OtherMe, Nov 26, 2007.

Thread Status:
Not open for further replies.
  1. OtherMe

    OtherMe Registered Member

    Joined:
    Sep 7, 2006
    Posts:
    19
    did anyone come across a Windows firewall with knock capability?

    Cheers,
    OM
     
  2. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    knock, knock, who's there?
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  4. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
    Hacker :ninja:


    .
     
    Last edited: Nov 26, 2007
  5. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Hacker who? :D
     
  6. OtherMe

    OtherMe Registered Member

    Joined:
    Sep 7, 2006
    Posts:
    19
    Yes. I already use knockd and its "associates" ;-) on in linux/iptables, but was looking for similar functionality on Windows platform. Looks like tough luck... judged by the rest of responses...

    EDIT: Good link Pedro. As said, I already use knockd, but was not aware of Win client. Still, I'd expect some pain in telling my Win firewalls what to do upon knock sequence is received and recognized i.e. I'd need some sort of command line for each of Windows firewalls on my test machines... But we got no documented CLI's for any Win firewall I'm aware of, with the exception of CHX. Hmmm...

    As for "knock, knock" joke above, just think about it for a moment: might be you're already using it... in your modem/router (assuming it's running linux based firmware). Implication here is that one would never know someone accessed their LAN with the blessing from your router firewall (backdoor ;-)). Now, that'd be a good "knock, knock" joke... Anyway, I digress...

    Cheers,
    OM
     
    Last edited: Nov 27, 2007
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The only one I know of for windows was an addon for CHX-I
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I tried this in google -


    "iptables + Firewall + similar functionality in Windows"

    and got this - https://www.wilderssecurity.com/showthread.php?t=112582 - Any Firewall Similar To IpTables For Windows?

    Hope this is of assistance to you. :)
     
  9. OtherMe

    OtherMe Registered Member

    Joined:
    Sep 7, 2006
    Posts:
    19
    Stem,
    thanks. Add-on? I'll look at that.
    I would hope some newer, application monitoring capable firewalls would include this capability soon. Perhaps one should ask in order to receive :) .

    Tarnak,
    Yes, I checked Core Force some time ago, but didn't like it (for some reason I only register that part :) ). Thanks :thumb:.

    Cheers,
    OM
     
  10. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Are you looking for a firewall that runs on windows that is capable of responding to port knocks before it opens a port for inbound connections, or are you looking for a firewall that will perform port knocking before establishing a remote connection.

    I could see that if (for example) you had an SSH server running on your linux box, it would be cool if your firewall could detect the SSH connection attempt and do the knocking for you.
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
  12. OtherMe

    OtherMe Registered Member

    Joined:
    Sep 7, 2006
    Posts:
    19
    MikeNash,
    that'd be correct - looking for a Win firewall that can detect and process knock sequence. That's exactly what I do on my linux boxes - have a daemon/service monitoring incoming and does what it's told to do (in my case opens or closes ssh port).
    But it'd be all to nice if a firewall can do it all - to generate AND accept port knocking business. Right now I'm using ssvnc on both platforms but only to connect " to linux". Connection "Windows to Windows" or "Linux to Windows" via port knocking is what I'm looking for at the moment.

    Stem,
    well, there you go - spot on! Thanks! Played with it? I do like CHX approach, but need app controll, too. Nevertheless, I think I'll give it a go.

    Thanks and cheers,
    OM
     
  13. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    CHX-I, well any trouble you get, you're in luck, Stem can help you.
    Note that it's discontinued though. :'(
     
  14. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Funny thing, but Online Armor has its FW log in a text format, so in case you can write programs there is no problem to write your own log interpreter and implement whatever action you wish :)
     
  15. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    But the trick is not being able to read the log, but actually manipulate the firewall to allow you to accept connections originating only from the IP who started the knock sequence, then have the knock time out or have a knock sequence that will close it. Does Online Armor have a command line access that would allow easy scripting of this because then it would work pretty easily (actually any firewall that saves its logs in a human readable format that can be parsed and allows for the firewall to be changed off of scripting would not be too hard to implement port knocking for)

    Cheers,

    Alphalutra1
     
  16. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I do hope it has not command-line and scripting control, because I think such a control would be a potential security hole. But as long as it is application-oriented it has all the ports stealthead until autorized application starts to listen authorized port. Then it is your script responsibility to start this application and provide it with the data extracted from the log. It can just open "listen" or "connect" socket only for ip specified by your script for this session. After the session is over your application exits and all the ports are stealthed again. IMHO such a scenario is pretty secure, at least in the extent your application does not have a security hole inside itself. But then it is your responsibility to provide it :)
     
  17. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    And that must be why some of the most robust, secure, and widely used firewalls in the world only use command line and scripting to control them.

    By the way, you may need to look up what port knocking is. It is a way to make it so that an application that has to listen constantly (such as sshd) will not be exposed to the entire world, but only to a host after it sends a series of packets that the firewalls blocks and picks up on, then will the firewall create a rule only allowing data to flow into the port from that IP. This means that the port is still just as available for access and that the application can constantly listen to it, but there is a secret "code" of packets that will allow the door just to be opened for that one IP address. It is a way to prevent many brute force attacks that frequent everyones ssh logs (oh I love the attempted logins with the username "fluffy" those always crack me up...), while still making it so that ssh is available. So though it has a debatable role in security, it can help prevent dumb scripting based attacks, but the service should still be properly secured at all times.
    Why does it need to provide it with the data from the log? Also, you are completely getting rid of the benefit of port knocking. The application is still listening to the port and accepting connections from everywhere and will appear open to everyone once it is started by the script. The point of port-knocking is to make it appear invisible and visible ONLY to the person with the correct combination.
    How are you going to implement this for every single app, especially since many that listen are configured by a conf file, so you would have to reprocess the file everytime before you started it, or even restart it to reconfigure the changes. This is impractical, and not every application supports this. The firewall is in charge of saying who can and can't connect, that way bad packets never hit the service which could possibly be vulnerable.

    BTW, to answer the OP, the only firewalls I only know of with apps to make it support port knocking is CHX-I, but you could probably do it pretty easily with WIPFW (no app control though)

    Cheers,

    Alphalutra1
     
  18. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Secure ? It depends on what you call "secure". It may be secure when installed on the server which is locked into the iron box, but when installed as a personal firewall it turns to be completely insecure. Just because any malware can disable it through the commandline.
    Ahh .. I can read and I did it before to answer :)
    This depends on how a service is implemented. For one it can "connect on demand". This is the most secure scenario I think, but it can be impossible in a general case just because you access it from a point where it is impossible to have real IP. For two, with app-oriented FW you can predefine some restricting rules. Though, you need to know a list of the allowed remote IP here. So you are right, this way is not completely flexible, so it is flexible enough for the most practical situations.
    I see. And I agree that to impelment it in a fully flexible way you need a FW that can be operated by some kind of automation. But .. but this contradicts with a full security concept :) Either way is insecure in that or other way. But I do not regard short-time visibility more insecure than a risk to get FW to be operated by unexpected offender. The only way here is to lock your server into the iron box while you are out and to have some other application to control the both, your FW and automation process. Security is such an endless fun, and the main problem is complete security is just not possible :)
    I think this is not too difficult thing to do (knocking support). But most personal FW vendors just do not care about this very specific task which also can compromize security. This I think would be more natural task for network operating FW, or to be more accurate for the "router".
     
  19. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    No, OA does not have any sort of commandline access.

    The geek in me wants to implement port knocking (both consuming remote services that require a knocking sequence and providing port knocking security) but we've soooo many more things to do, I just can't justify the time right now...
     
  20. OtherMe

    OtherMe Registered Member

    Joined:
    Sep 7, 2006
    Posts:
    19
    MikeNash:
    ;) I knew you'd want to chew this one... But, understand you got priorities.

    Alphalutra1:
    Once your knock sequence causes your firewall to open, say, 22, then you can login and close it manually or via startup scripts. Effectively, your 22 is again closed to wan/lan - except to you - because it is an *established* connection (easy to set in iptables and some win firewalls). Quite useful. One is then open only to MITM technique, but on ssh connection... need I say more...

    Sure, one should have the port closing sequence fired up upon logout - if not closed as above.

    Cheers,
    OM
     
  21. OtherMe

    OtherMe Registered Member

    Joined:
    Sep 7, 2006
    Posts:
    19
    Once malware is on your side, you're, kinda, already compromised. But if it's not, then malware would:
    1. need to know your knocking sequence (easily randomized - recommended afaik)
    2. need to know password to gain access (if secure port is used - which should be a no brainer you'd like to use)
    3. pass all other layers (you do multilayer your defense, do you?)
    4. etc.
    Don't forget that malware doesn't need cli to be malware. 99% of it (no proof :p ) is non cli, anyway.

    Not quite. See my response to Alphalutra1 in message above. You might be underestimating usefulness of this approach and overprojecting it's security ramifications.

    I'd say most WinOS (R;)) vendors don't even know about it, since it's *nix concept. Though, one smart guy on this page already has plans to implement it... (I'm not saying NO vendor knows about port knocking. Just MOST).

    Cheers,
    OM
     
    Last edited: Nov 29, 2007
  22. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Of course, that was stupid of me, sorry :p . If the connection is already being tracked in the state table, then the rule can be stopped without flushing the state table and stopping it from tracking the connection.
    Well, that is why most ssh clients warn you and ask if you should proceed if the server has changed its RSA signature, so as long as you don't be stupid and just hit yes if the popup ever occurs, then I think you should be good to go with the security record of ssh ;)

    Cheers,

    Alphalutra1
     
  23. OtherMe

    OtherMe Registered Member

    Joined:
    Sep 7, 2006
    Posts:
    19
    Alphalutra1:
    :thumb:;)
     
  24. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    OK, ok. I just want to note this is the link of the same chain. Users don't need -> vendors don't know (don't care)
    :)
     
  25. OtherMe

    OtherMe Registered Member

    Joined:
    Sep 7, 2006
    Posts:
    19
    I'd call it evolution. Some users do need -> some vendors do care... It might not be *yours*, but there's an increasing need to securely access remote machines. Mind you, as said above, it's a well known and used concept over the fence in linux/unix dimension.

    Out of interest, how do you access remote/wan machines?

    Cheers,
    OM
     
Loading...
Thread Status:
Not open for further replies.