July 30, 2008, 3:53 PM — Many years ago, I admired my sister's deadbolt. I made a silly comment as to how it looked like it would be impossible to break into the New York City apartment. My brother-in-law corrected me. "It's not impossible. It doesn't have to be," he said. "It just has to be harder to break into this apartment than into the other apartments." Think of it as a variation on the joke, "I don't have to outrun the bear. I just have to outrun you."
Now consider this facet of SOA. One of the greatest things about SOA services is that they are discoverable. And one of the worst things about SOA--from a security perspective--is that services are discoverable. In many cases, a cracker simply needs to scan for open ports on your servers to find out that you have a service on a given port. After that, the cracker only needs to figure out how to break your authentication mechanism. Depending on the service, the SOA component could give away everything else the cracker needs to know to access sensitive data.
Obviously, you can choose a superb authentication process to shore up your security. That may be enough. But why not add another layer of protection so that your services are harder to crack than the ones next door?
One especially useful technique, especially if you are responsible for building custom client software to access your SOA components, is to hide your services behind a port knocking-protected firewall.
Before we look at how port knocking works, let's have a micro-tutorial on ports. Every network-accessed service on the Internet uses ports. For example, your Web server, if you have one, most likely uses the standard port, which is port 80. Your Internet e-mail server is probably using port 25. There are many standard ports for common services. Some services use non-standard port numbers, and some services even pick a port number almost at random. Crackers can discover what services your company supports by scanning all the ports on your servers. The port scanners simply knock on your server's door at port 1, check for a response, then knock at port 2, check for a response, and so on, sequentially. If your server responds at port 25, then the cracker has most likely discovered not only that you have an email server, but the cracker can also figure out from the response what kind of email server you have, and what types of security you are using.
For the sake of argument, let's say you have an SOA server component for your custom client software that uses port 4000. Port knocking can close off port 4000 (and every other port) to anyone who doesn't know the "secret method" for opening it. Any cracker who scans your server for open ports will never discover that you have an SOA service available on that port. All ports will appear unresponsive, which makes your server appear to offer no services at all.
Ironically, your client gains access to port 4000 in a way similar to the way crackers discover existing open ports. As described above, port scanners step through all available ports sequentially, knocking on each one to see if there's an answer. By default, a port knocking-enabled firewall never answers on any port. The secret to unlocking any given port is in thenon-sequential order your client uses to check for open ports.
For example, your client software might check ports 22, 8000, 45, 1056, in that order. Each time, there will be no answer. But the server will recognize that your device -running the legitimate client software-knocked on just the right ports in the right order, like the key to a combination lock. Having gotten the right combination, the firewall will open port 4000 to the authenticated device and only to that device. Port 4000 will continue to look closed and unused to the rest of the world.
This isn't meant to be a replacement for the next level of authentication. It simply adds another level of security to make your services harder to discover and crack. The effect is (with apologies to Paul McCartney), when "Somebody's knocking on the port, someone's ringing the bell," they'll probably go away if it looks like nobody is home. The Portknocking.org site has information on port knocking implementations, and existing port knocking client software is available.
Next time, I'll look at an even better way to lock down your network to keep your SOA components safe and undiscovered by crackers.
