Bug#406627: RFP: fwknop -- Single Packet Authorization via "FireWall KNock OPerator"
Package: wnpp
Severity: wishlist
Description (from URL):
fwknop stands for the "FireWall KNock OPerator", and implements an
authorization scheme called Single Packet Authorization (SPA) that is
based around Netfilter and libpcap. SPA requires only a single
encrypted packet in order to communicate various pieces of information
including desired access through a Netfilter policy and/or complete
commands to execute on the target system. By using Netfilter to
maintain a "default drop" stance, the main application of this program
is to protect services such as OpenSSH with an additional layer of
security in order to make the exploitation of vulnerabilities (both
0-day and unpatched code) much more difficult. The authorization
server passively monitors authorization packets via libcap and hence
there is no "server" to which to connect in the traditional sense.
Access to a protected service is only granted after a valid encrypted
and non-replayed packet is monitored.
Advantages over Port Knocking:
+ SPA can utilize asymmetric ciphers for encryption
+ SPA packets are non-replayable
+ SPA cannot be broken by trivial sequence busting attacks
+ SPA only sends a single packet over the network
+ SPA is much faster
+ SPA is compatible with 2048-bit Elgamal GnuPG keys
Tools provided within the Package:
+ fwknop (8), fwknop client
+ fwknopd (8), fwknopd Single Packet Authorization (SPA) server
+ knopmd (8), legacy daemon to acquire Netfilter log messages for
deprecated port knocking mode.
+ knopwatchd (8), process monitoring daemon for fwknop daemons.
Copyright: GPL
URL: http://www.cipherdyne.org/fwknop/
Reply to: