cipherdyne.org

04 January, 2008

Drew Bentley, a long time user of psad, emailed me to mention that he had voted for psad to be included within the 2007 LinuxQuestions.org Members Choice Awards in the category of Network Security Application of the Year. Although there are many security projects out there that outstrip the Cipherdyne projects, my personal hope would be that eventually fwknop might be included in the Members Choice Awards someday. The rise of service authorization via passive means embodied by Single Packet Authorization allows the security model employed by VPN services and software such as SSH to be strengthened with a default-drop packet filter. This reduces the number of functions - any one of which has a non-zero probability of containing a security vulnerability - that an attacker can tweak from arbitrary source IP addresses.
     I personally sleep better at night knowing that my SSH daemon can only be reached after a would-be client is passively authenticated and authorized to communicate through the iptables policy by sending a properly encrypted and non-replayed SPA packet. Anyone scanning for my SSH daemon with nmap cannot even see that it is listening.