Abstract:
Port Knocking and Single Packet Authorization (SPA) based dynamic firewalls authenticate remote users at firewall-level for ensuring authorized access to potentially vulnerable network services. Despite being around for quite some time, both passive authorization techniques still suffer from a crucial problem. The authentication-connection association problem, which allows an attacker to connect to a protected server on behalf of a valid client, after the client has successfully authenticated with the firewall but before he establishes the TCP connection with the protected server. A novel design has been proposed in this work that resolves this problem by encoding nonces in suitable fields of selected packets in transit between client and server. The proposed design is incorporable into the existing architectures of both passive authorization techniques and keeps the previously made enhancements to these systems intact. The proposed design has been implemented in Java by modifying an existing open-source port knocking system, JPortKnock. The performance evaluation has been carried out on the basis of various parameters like processing overhead, robustness and stealthiness. To measure the processing overhead incurred by incorporating the proposed design into existing systems, the ability of processing different numbers of simultaneous authentication request packets of JPortKnock and the proposed system has been examined. Results have shown that the processing overhead, which is crucial for passive authorization systems, incurred by incorporating the proposed design into JPortKnock remains less than 1% which is marginal.
