Why Port-Knocking Suck.

The basic idea of port knocking is that before connecting to some service, the user has to "knock" first. This is done by sending a number of packets to selected ports in a specific order. If the right sequence is sent, a deamon updates the firewall to add a rule allowing the user to connect to other services.

Esentially this means that the port knocking sequence is a password, But it's a shared password since there is no client identification the secret is the same for all users. And it's clear text, the port number cannot be encrypted.

For anything port knocking does, it does so badly:

Shared passwords are bad: The security of a shared password is inverse proportional to the number of people who need to know it, and the cost of changing a shared password is proportional to the number of people using it. Also, shared passwords are bad because there is no accountability. You cannot keep anyone accountable since there is no client identification.

If you've already got user authentication in place for your services, then the right solution is to enforce stronger passwords, not implementing port knocking.

Sniffing passwords is a common concern, and so you should be concerned about the security port knocking has to offer. The port knocking sequence is sent in the clear, and there is no way you can solve that - except from discarding port knocking.

Port knocking provides stealth, that is, from an external port scanning your server becomes invisible, to see which services are available the attacker first have to knock the secret sequence. But port knocking is a pretty bad choice for stealth. If sniffing is a concern, then an attacker will quickly learn about your server. And your secret knocking sequence.

The industrial standard stealth solution is IPSec, it provides integrity, authencity and confidentiality, and stealth of TCP services. IPSec has a problem traversing NAT-ing firewalls, but there are other VPN solutions available. Port knocking remains a poor solution.

On top of being incredibly bad at providing security, port knocking comes with additional problems:

• Packets to non-standard ports are often filtered, your users will be unable to connect from many networks.
• Changing the sequence affects many users and hence increases the cost of recover in case of a compromise.
• You can't hold anyone accountable or otherwise locate where a leak may have lead to a compromise, so it is costly to secure your users after a compromise.
• It adds complexity, both in the server end and for the users. Annoying users is possibly the most direct way to break your own security.
• Your knock-authenticating daemon can alter your firewall, thus becomming a very attractive target for an attacker.

So, to sum up: Port knocking is a very bad idea, anything that port knocking does, it does bad, and it comes with a huge penalty: denial of service as authorized users cannot access services remotely, added management and user support cost, added complexity potentially putting your server security in jeopardy.