【翻译】用端口敲门绕过防火墙规则并保证安全完整性

Use port knocking to bypass firewall rules and keep security intact

用端口敲门绕过防火墙规则并保证安全完整性

by Jonathan Yarden

作者：Jonathan Yarden
翻译：endurer

Keywords: Security | VPNs | Firewalls | Security applications/tools | Data security
关键字：安全 | 虚拟专用网 | 防火墙 | 安全应用程序/工具 | 数据安全

http://techrepublic.com.com/5100-1009-5798871.html?tag=nl.e044

Takeaway:
While they add an extra layer of network security, firewalls can often inhibit the proper administration of an organization's network. How can you get past firewall rules without compromising security? One method is port knocking. Find out how port knocking works, see why some people argue that this method isn't true security, and learn why port knocking sometimes presents its own security concerns.

概述
当他们增加网络安全的额外层时，防火墙通常能限制组织网络的正常的管理。怎样能不危及安全地通过防火墙规则呢？一个方法是端口敲门。看清端口敲门如何工作，看看为什么人们争论这种方法不是真正的安全，学习为什么端口敲门有时会呈现它自身的相关安全。

Firewalls are a long-standing basic security measure that organizations use to isolate networks from the Internet. Whether it's a stand-alone hardware firewall, one of the various host-based systems such as ZoneAlarm, or the Windows Firewall system included with Windows XP Service Pack 2, these devices go a long way toward protecting networks from unwanted traffic, including viruses, Trojans, and hackers.

防火墙是组织用来从Internet中把网络隔离出来的长期存在的基本安全措施。无论是否为单机硬件防火墙，基于主机的系统如ZoneAlarm，或者WindowsXP SP2包含的Windows防火墙系统，这些设备在朝保护网络免于不期望的通行上前进了一大步，这些不期望的通行包括病毒，木马，和黑客。

However, while firewalls add an extra layer of network security, they can often inhibit the proper operation or administration of a computer system or network hardware. For example, firewalls typically present a problem when vendors require Internet access to an organization's internal computer system, a particularly common occurrence when it comes to support requests.

然而，当防火墙增加网络安全的额外层时，它们通常能限制一个正常的计算机系统或网络硬件的正常操作或管理。例如，当卖主要求Internet访问组织的内部计算机系统时，防火墙典型地呈现问题，当它要支持要求时的显著地常见的事件。

But granting such access can conflict with the company's established security policies. With HIPAA and Sarbanes-Oxley legislation inciting panic in offices across the United States, many administrators are simply denying all firewall rule exceptions and installing hard-line modems for remote access. In fact, this approach is often more simple than messing around with firewall rules or sending repeated requests for security policy changes or user account additions.

但是同意这样的访问可能与公司已经建立的安全策略相冲突。随着在横越美国办公室的HIPAA（健康保险便利和义务法案）和Sarbanes-Oxley（萨班斯·奥克斯利法案）刺激惊慌，
一些管理员简单的拒绝所有用于远程访问的防火墙规则例外和安装强硬派modems。实际上，这个门径通常比弄糟围绕防火墙规则、发送改变安全策略或者用户帐号附加的重复要求简单。

Of course, there are also instances in which a host must connect to the Internet itself. This is the case for UNIX-based firewall systems because the UNIX host is the firewall. One way to improve security on such open hosts is to only enable the services after establishing some manner of identification.

当然，也有主机自己必须连接到Internet的实例。这是一个基于UNIX防火墙的情形，因为UNIX主机是一个防火墙。一种增强这类开放主机安全的方法是在建立一些证明,方式后才能服务。

The security issue here is how not to expose specific network services—typically remote access via OpenSSH or even a Web-based administration GUI—until an authorized person has specifically requested access. Then, the specific IP address unlocks the services and temporarily grants access. It's certainly not a new idea, and I've used this technique in one way or another for several years.

这儿的安全问题是怎样不暴露特定网络服务————典型地通过OpenSSH或者甚至一个基于Web管理GUI远程访问————直到一个认证过的人已经要求特定的访问。然后，特定的IP地址解锁服务，临时同意访问。这确实不是新的思想，我已经以一种或其它方式使用这种技术好几年了。

However, I now use a method that allows me to access any of the UNIX systems I work on from anywhere—without having to access my workstation first. Known as port knocking, this approach allows an administrator to temporarily bypass firewall rules in order to gain access to an internal system (typically UNIX-based).

然而，我现在使用一个方法允许我从任何一个地方访问一些我工作的UNIX系统————无需先访问我的工作站。作为已知端口敲门，这个方法允许一个管理员临时越过防火墙规则，访问一个内部系统（特别是基于UNIX的）。

Port knocking is the computer equivalent of a combination lock, where the proper "combination" unlocks a specific TCP or UDP service for remote access. The proper combination makes the requested service visible from a specific IP address; otherwise, it remains hidden.

端口敲门是计算机等同于一个组合数字锁，恰当的组合数字解锁特定的TCP或UDP服务来远程访问。恰当的组合数字使所要求的服务从特定IP地址可见。否则，它仍然是隐藏的。

Implementing port knocking on a computer system is specific to each package, but the functionality is similar. I use port knocking to enable OpenSSH, which grants me shell access to the UNIX hosts I maintain. Many packages are available, and I use Debian's knockd package.

在电脑系统中实现端口敲门对每个包是特殊的，但功能是相似的。我使用端口敲门来使用OpenSSH可用，它准许我访问我维护的UNIX主机。一些包是可用的，我使用Debian的敲门包。

Some port knockers rely on sending data to specific UDP and/or TCP port numbers, others use ICMP messages, and some require a specialized client application that uses strong encryption to send the unlock sequence. The important thing to remember is that the concept of port knocking is to "unlock" and enable access to a TCP or UDP service for a specific IP address. Depending on the service, you'll probably still need some form of authentication.

一些端口敲门程序依赖于发送数据到特定的UDP和/或TCP端口号，其他的使用ICMP信息，并且一些要求使用强加密的特定的客户端应用程序来发送解锁序列。重要的事情是记住端口敲门的概念是为一个特定的IP地址解锁并访问特定的TCP或UDP服务。取决于服务，你可能仍将需要一些验证表单。

Of course, keep in mind that the protection provided by a port knocker is to hide the specific service until it's unlocked. Some security purists insist that this isn't true security—rather, they say it's "security through obscurity." But remember that security through obscurity is a natural defense mechanism—if it wasn't effective, we wouldn't see so many examples of it in nature.

当然，牢记端口敲门提供的保护是隐藏特写的服务直到该服务被解锁。一些安全纯化论者强硬主张这不是真正的安全，他们说它是“不公开、即安全”。但是记住不公开、即安全是一个自然防卫机制——如果它无效，我们将不能在自然界看到那么多例子。

Despite these objections, I use port knocking to protect my UNIX systems when I must connect them to the Internet. With brute-force attacks on SSH occurring frequently, I'm more than happy to hide my remote access services behind a port knocking system: It just works.

不管这些异议，当我必须连接我的UNIX系统到Internet时，我使用端口敲门来保护UNIX系统。随着brute-force攻击SSH频繁地出现，我更乐于将我的远程访问服务隐藏于一个端口敲门系统之后：它工作。

I'm somewhat surprised that this method of security took so long to emerge, and I hope that Internet security companies are taking note so they can improve on the concept and add such features to new products. The port knocking technique applies to all manner of computer systems and network equipment, whether they're on the public Internet or hiding behind a firewall.

我有些奇怪这个安全方法花了这多长时间才出现，我希望Internet安全公司注意，这样他们可以改进观念，增加这样的新特性到新的产品中。端口敲门技术应用于所有的计算机系统和网络设备，无论他们是在公共Internet或隐藏于防火墙后。

There's no doubt that VPNs are the best choice, but sometimes they're just not an option. In those cases, port knocking is a good alternative to provide simple and effective security.

毫无疑问VPN是最好的选择，但有时它们没有选择。在这些情况下，端口敲门是一个好的替代品，提供简单有效的安全。

Ironically, one indication that the port knocking method has merit is the fact that some hackers are already using it to gain access to previously compromised systems. In addition, port knocking is a potential way for Trojans to establish a connection to a networked computer that has no open ports. Therefore, it might be a good idea to restrict port knocking to situations in which alternative methods of access control are impossible to implement.

具有讽刺意义地是，端口敲门方法有价值的表示是一些黑客已经在使用这来访问先前暴露的系统这一事实。另外，端口敲门是木马建立一个没有开放端口的联网计算机的连接的可能的途径。因此，限定端口敲门于访问控制的可替代的方法到无法实现的的场合可能是好主意。