2007 LinuxQuestions.org Members Choice Awards
04 January, 2008
Drew Bentley, a long time user of psad, emailed me to mention that he had voted
for psad to be included within the
2007 LinuxQuestions.org Members Choice Awards in the category of
Network Security Application of the Year. Although there are many security projects out
there that outstrip the Cipherdyne projects, my personal hope would be that eventually
fwknop might be included in the Members Choice Awards someday. The
rise of service authorization via passive means embodied by
Single Packet Authorization allows the security
model employed by VPN services and software such as SSH to be strengthened with a default-drop
packet filter. This reduces the number of functions - any one of which has a non-zero
probability of containing a security vulnerability - that an attacker can tweak from arbitrary
source IP addresses.I personally sleep better at night knowing that my SSH daemon can only be reached after a would-be client is passively authenticated and authorized to communicate through the iptables policy by sending a properly encrypted and non-replayed SPA packet. Anyone scanning for my SSH daemon with nmap cannot even see that it is listening.
