Service Cloaking and Anonymous Access; Combining Tor with Single Packet Authorization (SPA)

Presented at DEF CON 14 (2006), Aug. 5, 2006, 2 p.m. (50 minutes)

Single Packet Authentication is becoming an increasingly important method for protecting arbitrary network services through the use of a kernel level filtering mechanism such as Netfilter in the Linux kernel. By sending SPA packets over the Tor network, SPA packets can be endowed with an additional layer of privacy and anonymity. It becomes cryptographically difficult to deduce the communication of the SPA packet from any particular source address; even from the perspective of an attacker that is in the enviable position to montior all packets going to and leaving from the SPA client system.  The end result it that the exploitation of even 0-day vulnerabilities in a service that is protected with SPA/Tor is much more difficult. This talk will focus on applied aspects of Single Packet Authentication, and will include a lengthy demonstration at the beginning of the talk. A new version of the Single Packet Authentication software "fwknop" will also be released contains new features such as GPG-hardened last-hop IP resolution, a web interface to monitor SPA usage in an Enterprise environment, remote Netfilter policy management, and more.

Presenters:

• Michael Rash - CTO
  Michael Rash holds a Master's Degree in applied mathematics with a concentration in computer security from the University of Maryland, and is the CTO of Solirix, Inc. where he leads the Solsen product development effort. Previous to Solirix, Michael was a developer on the Dragon intrusion detection and prevention system, and also wrote a custom host-based intrusion detection system which was used to monitor the security of over one thousand systems from Linux to Cisco IOS at a major ASP.  Michael frequently contributes to open source projects such as Netfilter and Bastille-Linux, and has written security related articles for the Linux Journal, Sys Admin Magazine, and USENIX ;login: Magazine.  He is also the lead author of the book "Intrusion Prevention and Active Response; Deploying Network and Host IPS", and a co-author of "Snort-2.1 Intrusion Detection", both published by Syngress Press.  Michael is the creator of two open source tools "psad" and "fwsnort" that are designed to blur the boundaries between Netfilter firewalls and the Snort IDS.

Links:

• https://defcon.org/html/defcon-14/dc-14-speakers.html#Rash
• https://infocon.org/cons/DEF CON/DEF CON 14/DEF CON 14 video/DEF CON 14 - Michael Rash - Service Cloaking and Anon - Video.mp4

Similar Presentations:

• AppSec USA 2016 / SPArring with the Security of Single Page Applications
• HOPE Number Nine (2012) / Recent Advances in Single Packet Authorization
• The Last HOPE (2008) / Port Knocking and Single Packet Authorization: Practical Deployments