Introduction to FWKNOP#
Under the SDP architecture, the business services protected only allow access to packets that are considered legitimate, discarding "illegal" packets, thus achieving business service invisibility. The SDP architecture is divided into three parts: SDP Client, Controller, and Gateway. Before accessing resources, all clients must go through the Controller service for SPA single packet validation and access control, and the Gateway handles business processing. As shown in the figure below:
The fwknop mentioned in this article implements an authorization scheme called Single Packet Authorization (SPA) for hiding services. SPA encrypts individual packets, makes them non-replayable, and authenticates them with HMAC, so that the main application of SPA hidden behind the firewall is to filter all SSH and other service traffic, making it more difficult to exploit vulnerabilities (including 0day and unpatched vulnerabilities). Since there are no open ports, Nmap cannot be used to scan any services hidden by SPA. fwknop supports iptables and firewalld on Linux, ipfw on FreeBSD and Mac OS X, and PF and libpcap on OpenBSD.
SPA increases security by reducing exposed service ports and using dynamic, single packets for authorization, making it more difficult for attackers to discover and exploit potential vulnerabilities. This aligns with the concept of the zero-trust model, which means not trusting any internal or external networks and protecting resources through effective authentication and authorization.
Environment Introduction & Configuration#
Use the Ubuntu 20.04 environment for setup click here to download the Ubuntu image, and the dependency source is the Tsinghua source mirror.
Network address planning & system password:
| Host | Address |
|---|---|
| Server | 192.168.31.211 |
| Client | 192.168.31.37 |
Change the Ubuntu source
fwknop Source Code Download, Compilation, and Installation#
Download the program from GitHub, and install the prerequisite tools first
Use the git command to download the code to the local machine
As shown in the figure, this step is successful
Continue to compile the program, note that you need to run the program with root privileges
Configure the fwknop Server#
The fwknopd.conf file needs to be configured with the network interface name at line 40
The access.conf file needs to be configured with the knocking rules and client tokens, effective time, etc.
Ignore the keys for now, they will be generated on the client side
FW_ACCESS_TIMEOUT is set to 20, which means knocking, the door will remain open for 20 seconds, and after 20 seconds, the door will close.
Start and stop
Install the Client to Verify the Service Success#
After successful installation, use the following command to generate the verification information
-a is the client IP, -D is the server IP, -p is the port on which the server listens for SPA packets, and -P is the protocol used for sending SPA packets, usually UDP.
After execution, a file named .fwknoprc is generated, which contains the key. Put the key into the access.conf configuration information.
Block port 22 using iptables, the purpose of this step is to manually close port 22. After knocking, the program will create an iptables rule to allow port 22.
Test using a port scanning tool, the effect is shown in the figure below
Open the client tool to knock
Verification successful
Observe the changes in iptables, before knocking
After knocking
You can see the username of the client and create an iptables rule to allow SSH port.
Summary and Outlook#
This document provides a detailed introduction to the entire process of setting up fwknop, starting with an explanation of the concept of Single Packet Authorization (SPA) and its important role in the Security Dynamic Port Knocking (SDP) architecture. The document provides detailed guidance on how to configure the environment on the Ubuntu 20.04 system, including network planning and updating software package sources. It also explains how to download the fwknop source code from GitHub and compile and install it, as well as how to configure the fwknop server, including setting the network interface, knocking rules, and client tokens, and also involves the installation of the client and the verification process of the service running.
However, fwknop, as a network security tool, has some issues. As of the latest version 2.6.11-pre1 (released in December 2019), the code has not been updated for a long time. Due to the use of the C language, Fwknop faces insufficient cross-platform capabilities, compatibility issues, and memory leak risks, as shown by CVE-2012-4434, CVE-2012-4435, and CVE-2012-4436. At the same time, the U.S. National Security Agency has recommended avoiding the use of C/C++ software and emphasized the need for more secure programming languages.
Looking ahead, the development of the network security field is expected to introduce more advanced technologies, such as the Network Hiding Protocol (NHP) for autonomous and controllable zero-trust network invisibility. NHP technology, through more rigorous security mechanisms and intelligent management, can effectively improve the concealment of the network and the ability to resist attacks. This technology may become an important development direction in network security in the future, especially in dealing with increasingly complex network threats and improving the overall security of systems. By introducing such technologies, we can expect a more secure and reliable network environment.
Appendix#
[1] Fwknop's GitHub repository: https://github.com/mrash/fwknop
[2] Fwknop's official support documentation: http://www.cipherdyne.org/fwknop/
[3] CVE-2012-4436: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4436
[4] CVE-2012-4435: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4435
[5] CVE-2012-4434: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4434
[6] Fwknop related CVE vulnerability analysis article: https://ioactive.com/wp-content/uploads/2018/05/Multiple_Security_Vulnerabilities_in_Fwknop.pdf