Next: Preparation, Previous: Main Menu, Up: Main Menu [Contents][Index]
The “Firewall Knock Operator Library” (libfko) is a C language library that implements the functions needed to create and/or parse Single Packet Authorization (SPA) data. It is designed to abstract the details of encoding, encryption, decoding, parsing, and verifying SPA messages such as those used by Michael Rash’s Firewall Knock Operator (fwknop).
fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for strong service protection. SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as ’SSH’ in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult. Any service that is protected by SPA naturally cannot be scanned for with ’Nmap’. The fwknop project supports three different firewalls: ’iptables’ on Linux systems, ’pf’ on OpenBSD, and ’ipfw’ on FreeBSD and Mac OS X.
libfko is not an implementation of an fwknop client or server. It simply provides the functions for managing the SPA data used by those programs.
For more information on fwknop and SPA, go to http://www.cipherdyne.org/fwknop.