On Saturday 02 February 2008, James wrote: > Grant <emailgrant <at> gmail.com> writes: > > > If someone then argues about source IP spoofing, just let him. If > > > someone in your organisation is able to do it, make him your > > > network admin. > > > > You're right, access to the printer can be given only to certain > > hosts. So simply using 'lpr file.pdf' on the remote machine > > doesn't strike you as a bad idea? > > Might this be an opportunity to use 'port-knocking' ? > > http://www.linuxjournal.com/article/6811 > > just a thought, never really tried this before.
port-knocking is the biggest load of fud (Microsoft products apart) I have heard about in ages. The term snake-oil comes to mind, as does "security by obscurity and obfuscation" which we all know is no security at all. I don't care if the originating process knocks on the well known port with gold plated gloves hand braided from the finest Unobtainium by seductive alluring Puerto Rican virgins, the receiving machine still has to open another port short thereafter. This is not a magic port and is not wrapped in Star Trek's finest stealth cloak, it's a port that does TCP/IP stuff. If the end process listening on the newly opened port is in any way weak - and this is the only possible reason anyone would ever try the port knocking workaround - it's just as weak when it's listening on an obfuscated port number. If it's open, I can find it. If it's weak, I can get in. Then it's game over, go home, I win. I've yet to hear positive things about port knocking from someone who actually implemented it fully. In truth it's just a major pain in the arse that makes the admin's life miserable and gives the boss a warm fuzzy feeling based on hot air. End of rant. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
