When the Internet was originally created with just government and educational entities
communicating to one another, mechanisms of security were not considered as everyone was
trusted. This is quite evident in the design of the protocols that currently drive the Internet; they
are inherently insecure with secure mechanisms bolted on later. As the Internet spread to the
masses, firewalls became a very common tool for protection; whether software or hardware
based. Unfortunately, computer hackers adapted as well and the commonly used SPI, or stateful
packet inspection, firewall mechanism leaves resources open to the world just so they can be
made available to remote users. To help solve this issue, a port knocking mechanism was
created to help keep these resources closed and hidden when not needed, yet easily opened when
they are needed and still keep them hidden. While this mechanism has drawbacks and flaws, it
definitely helps keep an entity’s information much more secure in an inherently insecure
While the idea of securing resources thru port knocking is fairly new, the mechanism of
knocking for access identification is not. This is because, at its root, port knocking is about
being able to identify an authorized user thru “knocking.” This is similar to how people would
identify someone thru a pre-defined, shared “knocking” algorithm that stood on the other decide
of the door. For example, three knocks that included a one second delay between the first and
second and no delay between the second and third. Generally port knocking would be conducted
on already closed ports. This is the key part of the mechanism as the whole reason for this
mechanism is to ensure hackers scanning your computer can’t see any ports open that would
trigger them to start hack attempts. It also makes it so the user doesn’t get a false sense of
security just because they’re using the resource on a non-standard port, such as running SSH on
port 1022/tcp instead of 22/tcp, as it can still be found thru scanning.
The type of algorithm can be as simple or complex as the user wants it. Obviously the
more complex the more likely someone won’t stumble upon the right knocking algorithm.
Algorithms also don’t have to just include “knocking” on the ports, but include encryption or
packet data. A simple example would be to knock on ports 1000/tcp, 2000/tcp, and finally
3000/tcp. Another algorithm could use timings with the knocks such as adding a one second
delay between each knock. However these are still quite simple. If the resource being protected
is of greater sensitivity, the algorithm used could go so far as to require the knocks to include
data encrypted with an asymmetric key as well as the data being a one time passcode. Obviously
there is a lot of flexibility in how the algorithm could be developed. However, if the algorithm is
made too complex there would be a greater chance the client program would potentially messup
and valid users could be rejected due to normal network congestion.
Once the knocking is completed successfully, the user that has conducted the successful
knocking is considered authorized. A firewall rule is dynamically added specifically for their IP
Address to the desired resource. This allows for the resource to be accessible, but not to just
anyone in the world. This dynamic rule can be taken back out in a couple of different fashions.
One would be to remove the rule after a specified amount of time has elapsed. A more common
method though is to have the user conduct another port knocking process that would tell the
firewall to remove the rule. Of course, a variant on the timing rule could be to have an idle
timeout on the firewall rule as well just in case the user forgets to close the port.
There are several benefits to using port knocking with the standard SPI firewalls. First, it
adds one more layer of security. As no shared system is perfectly secure, the only thing anyone
can do is use security in depth principles to make it as hard as possible for unauthorized people
to get their hands on your data. Resources can run on their standard ports and the concept of
security thru obscurity no longer needs to be used since all ports would be seen as closed to
anyone who does not know the correct knocking algorithm. Also, scanners, often used by script
kiddies, are no longer effective, again, because all ports are seen as closed. Because this
mechanism is quite flexible as to its abilities, the complexity and thus security level of the
firewall as a whole can be dramatically enhanced. These can include not just allowing access to
the system thru an added firewall rule, but also ensuring the access is logged and potentially
limited in scope as to what the user is allowed to do. This can be done because the port knocking
actually triggers a script to run and anything that can be ran from the shell can thus be ran once
the knocking algorithm has been successfully completed. One advantage of port knocking as
well is that it can help a user gain access to ports in a more secure way that a VPN might not be
able to allow the user gain access to. While SSL VPN certainly changes this thinking, the
technology is still in its early stages of adoption and the commonly used IPSec VPN is often not
allowed in many areas that remote users often need to gain access to their secured resources.
However, even when SSL VPN becomes more affordable and commonplace, the fact that the
port knocking mechanism can execute commands beyond just firewall access and simple AAA
functionality makes it a far more powerful security technology than VPN.
There are some drawbacks to port knocking though; specifically keeping the system
usable and accessible. While the simple algorithm of knocking on three ports can be easily
implemented and given to a non-technical user to use, the more complicated ones require either a
third party system or a lot of resources to create. This is because the average non-technical user
doesn’t know how to use a command line much more be able to successfully run scripts and
understand and possibly troubleshoot why it may not have worked. This requires a very simple
to use client tool be created for these users. This also means this tool must be guarded carefully.
If that tool was to get out, the entire port knocking security layer must be considered
compromised similar to when a user’s password is given to people who shouldn’t have it.
Second, since there must be some listener on the firewall that must be written which in turn runs
the commands that can open up ports and run any other types of commands, great care must be
taken in the listener’s creation as well as all the scripts that it runs in response to a successful
knocking process. Finally, since the listener must be programmed to listen on certain closed
ports, those closed ports must be reserved to ensure they are not accidentally used by some other
resource for an unrelated reason that could ultimately mess with the proper detection of users
conducting a knocking process.
While the port knocking mechanism definitely helps security of an environment when
properly implemented, it still has flaws that must be recognized. One such flaw is due to the
common usage of NAT devices. Since port knocking is used to secure resources to remote users,
it is a very real and large possibility that these users will be accessing the resources thru NAT
devices for example at a coffee shop. Since the dynamically added rules will most likely be
written to allow any port from the user, as it is usually impossible to determine what the ports
will be used in those circumstances, and use the public IP assigned to the NAT, this would mean
after the user has successfully port knocked to open the port anyone behind the NAT device now
has access to that port as well. As a result, depending on the resource available, a private
resource could be made completely open to malicious people. Another flaw is that man-in-the-
middle attacks can easily sniff out the algorithm and compromise the integrity of the port
knocking security layer. Although more complicated knocking algorithms can be used to protect
this type of attack, it still must be recognized as a threat to the mechanism.
In many respects, the advantages and disadvantages of port knocking are the same as
passwords with authenticating to systems. The main difference is that port knocking
authenticates the user to the firewall. While there are similarities, there is far more flexibility
with port knocking; not to mention, password authentication and port knocking are on different
layers of the security design. Port knocking can include encryption, data validation, timing
mechanisms, and anything else the creator can think of. Despite the drawbacks and flaws
outlined, port knocking is a very useful mechanism to make systems more secure. While it is not
in heavy use as of yet, this security mechanism should prove to be a valuable addition to many
environments and is definitely more than the latest security fad.