Port knocking is an authentication method used by network administrators to add security to their enviroment, allowing to open ports to access their PBX, servers, computers or other network devices behind a firewall on demand.
Port knocking takes advantage of firewall rules to allow a client who knows the "secret knock" to enter the network through a particular port by performing a sequence of connection attempts (called a knock sequence). The correct knock sequence for any given port is created for specific IP addresses by the network administrator.
For example: “i’d like to connect on port 5060 (SIP) but i don’t want to leave to port open for everyone..and i’ve a dynamic IP”. In these cases you can close the ports and use knockd to knock on the ports of your Asterisk box and let you in.
A daemon monitors the firewall log files for connection requests and determines whether or not a client seeking the network does a valid request and knows the correct knock sequence. If the answer is yes, it does a specific operation (usually, opening some firewall rules and port for that specific IP, but it may be also to run any command, start service or do any other per-defined operation).
Due the flexibility of port knocking, allowing users to access on a secure way to AMI, SIP, or or other Services, while ensuring their PBX is not open to all the external world, this way to add additional security while allowing authorized users is gaining a lot of popularity, and is being implemented to allow user to access their networks services without the necessity to implement a VPN software. Some PBX, as Elastix, have implemented his own "Port Knocking" mechanism (known as "Whoreworn" on his own graphical interface. If you do not want to have the dependency of an Elastix PBX, you may configure the standar "knockd" service, that may run on any standar iptables / firewall machine.
Port knocking takes advantage of firewall rules to allow a client who knows the "secret knock" to enter the network through a particular port by performing a sequence of connection attempts (called a knock sequence). The correct knock sequence for any given port is created for specific IP addresses by the network administrator.
For example: “i’d like to connect on port 5060 (SIP) but i don’t want to leave to port open for everyone..and i’ve a dynamic IP”. In these cases you can close the ports and use knockd to knock on the ports of your Asterisk box and let you in.
A daemon monitors the firewall log files for connection requests and determines whether or not a client seeking the network does a valid request and knows the correct knock sequence. If the answer is yes, it does a specific operation (usually, opening some firewall rules and port for that specific IP, but it may be also to run any command, start service or do any other per-defined operation).
Due the flexibility of port knocking, allowing users to access on a secure way to AMI, SIP, or or other Services, while ensuring their PBX is not open to all the external world, this way to add additional security while allowing authorized users is gaining a lot of popularity, and is being implemented to allow user to access their networks services without the necessity to implement a VPN software. Some PBX, as Elastix, have implemented his own "Port Knocking" mechanism (known as "Whoreworn" on his own graphical interface. If you do not want to have the dependency of an Elastix PBX, you may configure the standar "knockd" service, that may run on any standar iptables / firewall machine.
References
- Firewalls and Asterisk: What ports are involved and how do I set up a firewall to protect Asterisk?
- Asterisk security through geographic IP address restriction
See also
- http://www.portknocking.org/ Port Knocking Web Site.