Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Project Firewall

  1. #11
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Quote Originally Posted by the_rooster View Post
    I have made a few Iptables firewalls, one with a single packet auth system that would dynamically open a port for the ssh server.
    Wow that sound's really impressive!
    A port scan reveals port 22 closed, and then you send a packet where to
    open it? How does this work completely?
    What keyword should I use to find out more about that type of mechanism?
    And pureh@te I loved your experiment, especially the way you described the process.
    Quote Originally Posted by pureh@te View Post
    This was extremely annoying and baffled me for a few days until I finally had the bright idea to update the bios. ok so now I was booting with 4 nics
    Hehe funny :b
    - Poul Wittig

  2. #12
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by Deathray View Post
    Wow that sound's really impressive!
    A port scan reveals port 22 closed, and then you send a packet where to
    open it? How does this work completely?
    What keyword should I use to find out more about that type of mechanism?
    And pureh@te I loved your experiment, especially the way you described the process.

    Hehe funny :b
    Sounds kinda like port knocking.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  3. #13
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default

    Yeah it is like port knocking. It is also called single packet authorization. Basically i wrote a client side component that crafts a UDP packet with a pre-shared key and a timestamp that is encrypted with the public half of a RSA key pair. For the server side, i wrote a libpcap listener that passes the packet to a program that will decrypt the packet with the private key. If the preshared key and timestamp are with the accepted limits, then it opens the ssh port for that specific IP for a brief amount of time to allow for the connection. It then remove that rule that allowed for that connection, but since that tcp connection is now in an "established state," the traffic will be allowed to pass.

    So even if you connect to your ssh at a coffee shop or the airport, anybody in the middle could tell you have a ssh connection to a specific ip and port, but their scans of that ip will say that the port is closed. And so what if they intercept the UDP auth packet, it has a timestamp in the encrypted payload and will be rejected if attempted to be replayed later. And even if they did replay it within the accepted time frame, it would only open the ssh port for a very brief amount of time.

    I know its kind of over kill for shh, but it could also be used to hide other services you want to offer only semi-publicly, like a cisco vpn, or and rdp connection.

  4. #14
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Quote Originally Posted by the_rooster View Post
    Yeah it is like port knocking. It is also called single packet authorization. Basically i wrote a client side component that crafts a UDP packet with a pre-shared key and a timestamp that is encrypted with the public half of a RSA key pair. For the server side, i wrote a libpcap listener that passes the packet to a program that will decrypt the packet with the private key. If the preshared key and timestamp are with the accepted limits, then it opens the ssh port for that specific IP for a brief amount of time to allow for the connection. It then remove that rule that allowed for that connection, but since that tcp connection is now in an "established state," the traffic will be allowed to pass.

    So even if you connect to your ssh at a coffee shop or the airport, anybody in the middle could tell you have a ssh connection to a specific ip and port, but their scans of that ip will say that the port is closed. And so what if they intercept the UDP auth packet, it has a timestamp in the encrypted payload and will be rejected if attempted to be replayed later. And even if they did replay it within the accepted time frame, it would only open the ssh port for a very brief amount of time.

    I know its kind of over kill for shh, but it could also be used to hide other services you want to offer only semi-publicly, like a cisco vpn, or and rdp connection.
    That sounds really interesting, would you share your code with us or is it something you prefer keeping for yourself?
    Tiocfaidh ár lá

  5. #15
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default

    KMDave: I would share it, but I am actually in the process of trying to bring it to market (if there is one for this...at least have to try). I have done a number of things to try to scale this up to be usable on a larger scale.

    For the client, I built a windows gui in c# that is kind of a cross between putty and the gui client for cisco. It allows for a xml config file to be dropped in like a pcf that loads a user up with rdp/web app tunnel configurations and performs the single packet auth and ssh connection. I also use a two key system for the UDP payload, one common key for all users and one unique for all users.This provides the server a user signature......so i can log who is using the systems and at what times...and should someone's laptop become stolen or compromised, I only have to replace that users individual key.

    For the server side, I integrated the ssh server with AD, and give all of the users a dummy shell. That way they can tunnel stuff through ssh, but they cant mess anything up through a direct shell connection.

    Maybe I am giving away too much already, but i am very interested in peer review. I work for a microsoft shop, and all this kind of flies in the face of what they are doing. So i get a bunch of blank stares when i try to explain this. But i do have it working in production and many of my coworkers use it.

    I welcome anyone who would like to comment on this or know more about it to shoot me a PM, thanks

  6. #16
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by KMDave View Post
    That sounds really interesting, would you share your code with us or is it something you prefer keeping for yourself?
    This would interest you I'm sure KMDave -- the project is going to also revamp in from Perl to C fwiu.. no need for a proprietary codebase.

    http://cipherdyne.org/fwknop/
    dd if=/dev/swc666 of=/dev/wyze

  7. #17
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    @the rooster
    Good luck then, I wish you the best, if you need a tester or alike, I'd help out

    @wyze
    Thanks a lot for the link I am going to read up on it. I owe you a useful link
    Tiocfaidh ár lá

  8. #18
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    sure thing. pf and openbsd are unique in that it is possible to bridge the LAN nics to the WAN nic so that if you have a stand alone box like I have then the firewall in essence has no IPs on the LAN therefore it is impossible to attack. I got all my help from wyze and PrairieFire who were already implementing such a system.
    I've been thinking about this, trying to see if i could break it. Just a idea, i would like you feed back if is possable. could you send a packet with the mac of the firewall, and if you have a routing protcol in use,use the ip address of mutlicast(for the protcol) to beable to comuncate to it.??

  9. #19
    Just burned his ISO
    Join Date
    Nov 2008
    Location
    Georgia
    Posts
    7

    Default

    Heh, that's awesome ^^.

    Looks sexy too :3

  10. #20
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by compaq View Post
    I've been thinking about this, trying to see if i could break it. Just a idea, i would like you feed back if is possable. could you send a packet with the mac of the firewall, and if you have a routing protcol in use,use the ip address of mutlicast(for the protcol) to beable to comuncate to it.??
    blocknonip should be set on the transparent bridge's interface to cmbat that type of traffic.
    dd if=/dev/swc666 of=/dev/wyze

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •