Portspoof flips firewall design on its face

AitportIn a typical network firewall design, an effort is made to close off and block access to as many communication ports as possible. Often, in order to prevent discovery of themselves and the machines hiding behind them, firewalls are configured to drop incoming packets and make no response to communication requests .

This hiding game is up as soon as one exposes network services for consumption. When access to network services is enabled, attackers can focus on and attack the ports of those services while ignoring any protection running on other ports.

Portspoof offers an interesting approach to solving this problem by flipping things around. Instead of closing down ports, all ports are kept open and responsive to query, while masquerading as a whole set of interesting but fake services. With this technique, attackers can end up having great difficulty in figuring out where your real services hide among the fake ones.

With security, then name of the game is time. Portspoof’s premise is to slow attackers down enough for you, the defender, to learn of their actions and take additional protective measures.

Advertisements

Building Ethernet-over-IP tunnels with Linux

TunnelThere is a not so well documented way to link together separate Ethernet segments by using GRE tunnels over IP networks while using only Linux Kernel capabilities and not requiring any userland daemons.

This can be useful to make physically separate networks appear as one, although linking over the internet in this way may not be very wise as the tunnel isn’t encrypted.

This can also be used to simulate multiple separate networks for virtual machines running on different physical hosts, without requiring VLAN tagging support from the physical network or using Open vSwitch.

The basic idea is to add a tunnel link of type “gretap” and attach it to a bridge, here is how to see what little documentation is available about it:

ip link add foo type gretap help

Here is a blog post providing some further explanation.

This capability has existed in the kernel since 2.6.29, so it is included in most moderately-recent distributions including RHEL/CentOS 6, Ubuntu (since 9.10 – Kermic) and Debian (since 6.0 – Squeeze).