DEV Community

YounesZn
YounesZn

Posted on

The Speakeasy Door to Your Network - Port Knocking (1)

Introduction

It's undeniable that the only truly secure system is one that's powered off. But let me tell you, you might as well throw that system away, because from the birth of the internet, every system has been created for a purpose—and that purpose forces it to be exposed publicly and made available to external users, whether it’s for patching, transmitting data, or enhancing functionality. This exposure may be selective, or it may not be, because some systems must be accessible to anyone, from anywhere.

The dilemma that comes to mind now is: if anyone can access such systems, then where on earth is privacy and security?

Well, humans, being smart, standardized the terms authentication and authorization. These are the key concepts that safeguard our data, preventing unauthorized access and keeping it from being compromised. These concepts are primarily managed by the service or system itself, ensuring that before any access is granted, the user must authenticate in one way or another (passwords, two-factor authentication, security questions ...) .

It seems like a good approach, but sadly, it’s not that simple. Let's imagine a network with thousands of services, placing trust in devices that may not be secure by design to handle authentication is a significant risk.


Firewalls Are Life Savers

Here come Firewalls: Instead of allowing every user the possibility to access our network and authenticate, why not restrict access to only trusted users? By applying a set of rules on the first device accessible in the network, the firewall, we can selectively accept or deny connections based on criteria such as the source IP address, port numbers, and protocols used.
So, finally, we can say our infrastructure is now safer than ever.

However, never be naive, there are several attacks that attackers can use to bypass firewall rules. Once a rule authorizes a certain type of access, attackers can potentially exploit that opening, and—hoopla!—here's the initial foothold they’ve been waiting for.

So, the hero of our story is already defeated before the battle even begins, thanks, firewalls! -_-

Come on, firewalls aren’t that fragile! We can take advantage of the fact that they are often the first accessible devices in our network and cleverly play with firewall logic to build a more secure infrastructure.

For that, there are many innovative ways to implement logical solutions that guarantee a secure network. One of them is the Port Knocking method.


Port Knocking - The concept

Long story short, imagine an infrastructure where certain services are completely inaccessible to everyone—except the users we choose to authorize. To gain access, these users must demonstrate a specific behavior or follow a unique pattern that we can detect. So, we say, "Ah, that's our guy—let them in!".

Image description

In general, the concept is to give the user we want to authorize a secret series of steps to execute in order to gain access to a service.

As an example, consider an infrastructure that includes an SSH server. The firewall blocks all access to the SSH server on port 22. However, if a user sends packets to a specific sequence of server ports—such as (1234, 5678, 3456) in our case—and in the exact order, it triggers actions on the firewall.

The firewall, which is always listening for such a sequence, then temporarily opens port 22 for a limited time. If no connection is made during that window, the port automatically closes again, maintaining security.

Inside the mind of an attacker, this security approach still has its weaknesses. All it takes is to sniff the secret sequence from the network and mimic it to gain access. Worse yet, imagine if the trusted user's IP address belongs to a shared resource, like a public WiFi hotspot. The external IP, which acts as the source address from the NAT provider, would need to be opened. At that point, any user of the hotspot could access the same service without needing to replay the sequence.

Stay tuned for the next part, where we’ll explore how to defend our port knocking logic with secure implementation techniques and a Go-based server as an example. You won't want to miss it!

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay