 | fwknopfwknop implements an authorization scheme that requires only a single encrypted packet to communicate various pieces of info. |
| Download | |
fwknop Ranking & Summary
Advertisement
- License:
- GPL
- Price:
- FREE
- Publisher Name:
- Michael Rash
- Publisher web site:
- http://www.cipherdyne.com/psad/
fwknop Tags
fwknop Description
fwknop implements an authorization scheme that requires only a single encrypted packet to communicate various pieces of info. fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme based around Netfilter and libpcap that requires only a single encrypted packet in order to communicate various pieces of information including desired access through a Netfilter policy and/or complete commands to execute on the target system.By using Netfilter to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult.The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored.This method is similar to the Single Packet Authorization scheme proposed by Simple Nomad and the folks at NMRC fwknop project was also the first tool to combine traditional encrypted port knocking with passive OS fingerprinting. This makes it possible to do things like only allow, say, Linux-2.4/2.6 systems to connect to your SSH daemon. What's New in This Release: · The FKO module that is part of the libfko library was fully integrated for all SPA routines: encryption/decryption, digest calculation, replay attack detection, etc. · The ability to recover from interface error conditions was added, such as when fwknopd sniffs a ppp interface (say, associated with a VPN) that goes away and then is recreated. · The fwknop client was updated to include the SPA destination before DNS resolution when sending an SPA packet over an HTTP request.
fwknop Related Software