On Tue, 24 Jan 2006 10:56:34 +0100
Joachim Schipper <j.schipper@math.uu.nl> wrote:
On Mon, Jan 23, 2006 at 10:44:52PM +0100, poplix wrote:
Hi there,
I wish to propose an alternative to port knoking that uses the
native OpenBSD's pf code only. The idea is to use the pf's passive
os fingerprinter to authenticate initial SYN packets.
With a tool (or kernel patch) able to rewrite packets header is
possible to use a specific sequence of header fields as a key to
validate packets.
This is an interesting - albeit not exactly new - idea, but it has the
very real disadvantage over port knocking that it requires priviliges
(typically root) on the connecting host.
I'm fairly new to network security so i'm
wondering what's the problem using root priviliges to connect to server?
Do you mean, this is a general security problem or simply a client-side
disadvantage?
Do you think, running such a packet rewriter on client-side opens new
doors for attackers and reduces client-side security thus?
regards
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
