Virtualized dynamic port assignment and windowed whitelisting for securing infrastructure servers

We describe a novel method of securing services by adding windowed whitelisting to an arbitrary and constantly changing assignment of services to ports (or virtual ports). This is aimed at mitigating port scanning threats and unauthorized intrusion attempts, and to protect a community of known users from data loss. In essence, port numbers, time, and IP address will be used as part of the password/access mechanism; this segregates traffic so that content-based restrictions can be more effective. It also provides a connection-based security wrapper for services that might be vulnerable to software exploits, such as the buffer overruns and backdoors. The method requires a portal to authenticate users and disseminate knowledge of the current port assignment, in addition to permitting users to request a “window” of time to be white-listed. It requires a firewall with dynamic port and whitelist reconfigurability. The method is intended to enhance byte frequency histogram analysis and regexp restriction of traffic. It also requires a policy for keeping alive long-lasting connections. It can be implemented easily with virtual ports using redirection. We discuss some implications for web page rewriting and cgi security, as well as legacy services such as ssh and sftp. The effect is to create a cross-product of IP range, port range, and time specificity, to create a large and sparse search space for any adversary.