cipherdyne.org

Michael Rash, Security Researcher



fwknop Windows UI

fwknop Windows UI Sean Greven, a contributor to the fwknop project, has developed a UI for generating fwknop Single Packet Authorization messages from Windows systems without the need for the regular fwknop client to be installed. The UI can be downloaded here, and the source code (which Sean has contributed to fwknop under the GPL) can be downloaded here.

Although the fwknop client functions under Cygwin, it is an important step to be able to generate SPA packets without fwknop installed at all since many users do not run systems with Cygwin installed. With Sean's UI, users can easily leverage the strength of Single Packet Authorization to protect services such as SSHD on Linux, *BSD, or Mac OS X systems and authenticate from Windows at the same time. The UI is currently in a testing phase and the initial version supports symmetrically encrypted SPA messages (with the Rijndael cipher), but also leveraging GnuPG is on the roadmap.

Here is a screenshot of the UI installed on a Windows 2000 system. The UI is on the left, and the fwknopd daemon on the target (Linux) system is running in debug mode so that you can see the iptables ACCEPT rule added for the Windows client and then deleted after 30 seconds. Netfilter's connection tracking subsystem is used to keep any established connection open, but no new connections can be established unless another non-replayed SPA packet is sniffed off the wire by fwknopd:
fwknop Windows UI