Any Port in a Firewall

Maybe it was just Cold War propaganda, but I was deeply amused when told that the Russian terms describing the docking of spacecraft were the same as those detailing the act of procreation. This conjured up visions of Cape Krushchev communicators rolling on the floor in hysterics.

What a shame we do not that same linguistic panache when coining English terms for computing, but instead have a ragbag of weak analogies and a sea of acronyms. One of the least appropriate is firewall, in context with network ports, a firewall being a structure or bulkhead in a building or vehicle to prevent the spread of fire, hardly a good analogy for the process of stateful packet inspection.

Firewalls are marvellous protection so long as they can be left intact.

When you do want to let someone connect to your network, unless you are prepared to wrangle with the intricacies of VPN, you will end up with ports open to all and sundry, exposing protocols that are not always as robust as we would wish. Probably the best example of this is the system administrator monitoring and controlling their rack of servers from the rigours of a Caribbean beach. Although this is perfectly possible now, it demands great attention to security. The central protocol needed by sysadmins is ssh, theoretically beautifully secure, but an open port all the same.

There are now several techniques to allow you to leave ports open, or for opening up arbitrary ports from outside the firewall, whilst retaining security.

The latter is known as ‘port knocking’: ordinarily, with all incoming ports closed in your firewall, you can choose for it to respond to incoming traffic (polite but aiding potential intruders), or just refuse the connection in silence (ruder but giving nothing away). The idea behind port knocking is similar to the use of coded knocks at the door to gain entry to an occupied room: send the right packets to the right sequence of closed ports, and the firewall will recognise your knocking code and open up the desired port for your traffic.

Single Packet Authorisation (SPA) is a considerable improvement on port knocking, in terms of security, and departure from naming by analogy confirms that we have entered TLA territory, and nearly incomprehensible technical details.

Suffice it to say that SPA rolls all the information that it needs into a single larger packet, with the sensitive contents suitably encrypted. If you fancy trying it out, fwknop (free) is the reference implementation and can work very nicely alongside Mac OS X’s software firewall. In case you are wondering, fwknop is a contraction generated using Unix etymological conventions, standing for ‘firewall knock operator’.

There are similar protocols available in Moxie Marlinspike’s knockkock, explained here, and Aldaba, aimed primarily at GNU/Linux.

More recently still, a third approach was offered by way of shimmer, so named because it offers an ever-changing group of 16 open ports, of which 15 are black-listing traps for the unwelcome, and only one really open. Whilst an attractive concept, this seems to be considerably less secure than either conventional port knocking or SPA, and appears to have been abandoned some years ago.

The snag with all these techniques is their availability.

I have been unable to find a single hardware firewall that supports any of them, so if you wanted to use, say, SPA, you would have to build your own Mac OS X or Linux powered standalone firewall appliance with the likes of fwknop, or fall back to individual software firewalls.

You cannot buy an external firewall, or modem-router incorporating a firewall, that will talk SPA, keeping it out of the reach of all bar the geeks.

It would be really neat if an innovative vendor such as Apple were to incorporate some form of SPA in its next revision of the AirPort Extreme base station. I for one would then be tempted to get the Russian version of the documentation translated, to savour its racy analogies.

Updated from the original, which was first published in MacUser volume 24 issue 20, 2008.