Tutorial on Single Packet Authorization with fwknop
08 Oct, 2012
One thing that has been requested a few times is a tutorial on how to use fwknop, so here it
is: "Single Packet Authorization: A Comprehensive Guide to Strong Service Hardening with fwknop".
This document attempts to cover most usages of fwknop to wrap an SPA layer around arbitrary services,
though some less used scenarios such as SPA over Tor
and SPA packet spoofing are covered as well. Please
contact me if you find any errors, or if you would like to see material
added on a particular fwknop use case. The complete table of contents appears below:
- 1. Quick Start
- Configuring fwknopd to protect sshd
- Default-drop firewall policy
- Gaining access to sshd with the fwknop client
- 2. Introduction
- 3. Installing fwknop
- Downloading the latest fwknop release
- Supported Platforms
- Notes on Specific Platforms
- Installing from Sources
- The fwknop Test Suite
- 4. fwknop Operations
- Starting and Stopping the fwknopd daemon
- SPA with Symmetric Keys (via Rijndael)
- SPA with Asymmetric Keys (via GnuPG)
- Hardening Multiple Services
- Handling Multiple Users
- Client Automation with the --get-key Option
- SPA Across NAT Gateways
- SPA Ghost Services
- User Interfaces
- SPA Packet Spoofing
- Stopping Replay Attacks
- SPA Over Tor
- 5. fwknop Design Goals
- No Heavyweight Interpreted Languages
- Support Embedded Devices
- Don't Require Admin Access to Run the SPA Client
- Don't Require the Manipulation of Raw Packet Headers
- Don't trust the IP header
- Support Server-Side NAT
- Support Cloud Computing Environments
- Support Multiple Firewalls
- Minimize Library Dependencies
- Support Both Symmetric and Asymmetric Ciphers
- Leverage Compiler and OS Security Features
- 6. fwknop Communications
- 7. fwknop Development
- Programming Languages and Style
- Source Control (git)
- Older Perl Releases
- Submitting Patches
- Primary Developers
- Mailing List
- 8. References and Further Reading
