I understand both points of view. My personal 2c's worth is that i sleep better at night knowing that you need the "secret knock" as it were and that i have done other little things that, whilst they might not deter a true hacker, they stop than their fare share. Its the same analogy with spam. It also gives me a little bit more of a window to catch such attacks and deal with them appropriately. Now there are some who would say that i am going to bed with a false sense of security, because i don't understand that its not going to stop the "good" bad guys. But unless I become a huge target for the Russian Mob (borrowed that mate!) then I will not worry so much. I've kindof always stood with thor on this one and those "security/obscurity" minded folk. Mind you if I wanted to be totally secure, I wouldn't run anything and would read and have sex all day long...mmm sex... Greg Mulholland ________________________________ From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Fri 20/01/2006 8:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Open Ports http://www.ISAserver.org You and I always seem to disagree on stuff like this... I mean, I see your point, but this is like the "source port rule" thing I do. To me, it is not "loosening" at all. Having a box that only allows 3389 after a series of port failures in the right order (secret knock) is a more secure posture than a machine that has 3389 open all the time. Having a machine that only allows 3389 when the source port is 43223 is a more secure posture than one that allows 3389 from any source port. The secret knock ports don't even have to be open- you just identify the failed attempts in the right order, or however you want to do it... It's just another layer. t ----- "I'll see your Llama and up you a Badger." John T ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, January 19, 2006 1:25 PM Subject: [isalist] RE: Open Ports http://www.ISAserver.org This isn't sever hardening; it's server loosening. If you want to muck about in ISA policies, log onto the machine. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx] Sent: Thursday, January 19, 2006 13:07 To: [ISAserver.org Discussion List] Subject: RE: [isalist] RE: Open Ports Hi Tom, The greatest value I see in the concept is server hardening. There are plenty of scenarios when inbound connections are only used sporadically for, say, remote management on back-end servers. Still, I'd rather not show my firewall as listening on certain inbound ports.. let us say, security by obscurity ? :) Personally, I've always been a rather big fan of that. On the other side, I'm also extremely paranoid. Even the most secure of services are, in my opinion vulnerable. Less vulnerable, yes, but still, vulnerable. Only exposing those services to the outside world when I desire it sounds good to me. ;o) Combining port knocking with OTPs, shaped packets, etc, increases the difficulty to expose the service to the outside. A colleague of mine mentioned today that the most secure server is offline, in a box, locked far away in a bunker. Very true, as that may be, it'll never quite be a reality (apart from root CAs, of course. ;o) ). Until that time, I still wish to hide as much information from the outside world as possible. If I can use a port knocking mechanism to decrease the chance of an attacker noticing listening ports on my firewall, I'd surely say 'yes' to that. :P My two cents on the matter. Regards, Paul. ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thu 19-1-2006 21:50 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Open Ports http://www.ISAserver.org Hi Paul, Never heard of port knocking until you mentioned it here. I read a few articles on it today and I'm not clear what value this would add to the ISA firewall. Care to teach the teacher? :) Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls **Who is John Galt?** ________________________________ From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx] Sent: Thursday, January 19, 2006 2:08 PM To: [ISAserver.org Discussion List] Subject: RE: [isalist] RE: Open Ports True. However, with the assumption that a) you actually own the system and b) you want to use the port-knocking mechanism (therefore making it wanted code), the concept isn't bogus. My intention is to have a go at it on my testing environment, just because it'd be fun to try. :P I wouldn't dream of even mentioning the concept at a customer. As far as 'owning the machine', I can imagine you're also referring to the fact I don't 'own' the ISA server's internals. True. Combining an ISA server as back-end with, say, a UNIX machine in front with port-knocking on it, however, would solve that problem. I'm also aware there are plenty of progs available to do that for me, but, ah hell, I like playing around with code at times. ;) ________________________________ From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thu 19-1-2006 20:56 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Open Ports http://www.ISAserver.org The basic idea behind port-knocking is that you have installed an agent that can control your (local or remote) firewall policies. If you've accomplished the task of installing unwanted code on a machine that you don't (actually) own, you've wasting time simply dorking about with firewall policies. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx