Most attacks on public Internet services and their providers’ infrastructure
are not aimed at a specific target, but rather send huge amounts
of packets on large IP ranges in order to find vulnerable computers
to be exploited by the hypothetical attacker. These types of attacks
typically start with port scans to determine the active hosts and
the services running on them. One technique to counter such attacks
to prevent the port scans from providing usable information to the
attacker has been known for a while now and is called port-knocking.
However, this security mechanism has not seen high adoption in today’s
industry.
This thesis is aimed at providing a specification for a secure and
scalable solution for hiding services in a cloud environment using
port-knocking. The specification describes a concept based on X.509
certificates with Elliptic Curve Cryptography (ECC) to enable decentralized
authorization of clients via port-knocking. The presented approach
also allows for deployment of this concept with minimal overhead
on the server or provider side while eliminating any required configuration
or visible complexity for the end user. Furthermore, the design is
based on the requirement to keep the impact on the communication
of protected applications to a minimum and therefore relies on a
single UDP packet, which is small enough not to be affected by fragmentation.
sKnock, a python-based prototypic implementation of the described
specification is also encompassed in the thesis to evaluate performance
and reliability of this approach. The implementation runs completely
in user-space on the server as well as on the client side and does
not require elevated privileges of any kind from the end user. The
prototype is targeted at the Linux platform with OpenSSL as cryptographic
module and iptables as firewall on the server side. However, the
implementation was developed with platform independence in mind to
make its’ extension by adding modules for other platforms simple.
The incorporated experiments indicate that the included implementation
is already fast and reliable enough for a large-scale deployment.
By extending the base functionality provided in this prototype, this
solution can be adapted to numerous port-knocking scenarios with
low deployment and management overhead in scalable environments.
All facts considered, the most important characteristic as well as
the major design goal of the presented specification and sKnock is
to provide a concept for scalable port-knocking mechanisms and therefore
lay the foundations for increasing industry adoption of port-knocking.
| 