Critique on Port Knocking

When it comes to security through obscurity, everyone has their favorite quote. There's Kerckoff's principle, Shannon's maxim, and Raymond's "Security through transparency." I prefer Schneier's summary, "every secret creates a potential failure point."

Port knocking depends obscurity, a secret series of false connections. Using port knocking with multiple people requires a means of communicating and updating the secret. The more users involved means the more people who know the secret and the greater likelihood that the secret will be shared or observed.

Port knocking doesn't protect from sniffing, man-in-the-middle attacks, or spoofing from an established source. Proponents of port knocking claim that it's useful in protecting your sensitive ports from exploitation, but port knocking itself is software (in one form or another) which leaves itself susceptible to vulnerabilities.

In contrast, VPN technology offers the same protection as port knocking, but also has measures to protect the confidentiality and integrity of the communications. The secret is reduced to user authentication, which (aside from being more manageable) can be implemented in a pin protected smartcard.