Post on 18-Jan-2016
description
Stealth project - פרוייקט החמקן
Roni Ohana Shlomo Yona
Instructor: Youval Nachum
Comnet Lab - Electrical Engineering Faculty
Technion - Israel Institute of Technology
Project Goal
Enable a monitored company user surf to forbidden sites located outside company’s network.
Description
A legal site will relay information between the user
and the forbidden site.
Local Network Internet
Firewall
X-siteUser
Filter
FORBIDDEN!
Legal-site
Consider the following situation
•User is able to surf to a legal site.
•User is blocked by a firewall while trying to access an illegal site.
Some more details• User sends http request for a page at the forbidden site (X-site) and
waits until response returns.• Firewall intercepts request and checks for forbidden url in the request.• If forbidden url found: User gets some error notification. And the
request is no longer being processed.
• Else, FW forwards the request to the x-site and wait until response returns.
• Upon receiving the request, X-site responses by returning the requested page.
• FW may check for forbidden text in the response.
• If forbidden text found - send FORBIDDEN to the user.
• Else, return the page to the user.
The Internet
Internal Network
Proxy Firewall
Perimeter NetworkInterior router
Exterior router
X-site
routerrouter
router
router
router
routerrouter router
router
Bastion Host
Proxy
TCP
Open TCP socket
Accept
Open TCP socket
Accept
TC
P
TCP
Accept
Open TCP socket
Proxy based firewall
• On http level, a TCP connection will open from client to the proxy-Firewall and another TCP connection will open from the proxy-Firewall to the destination (either direct, or using another proxy).
• When N proxies are involved there will be N+2-1 TCP connections (counting source and destination too)
The Internet
Internal Network
Screening Router Firewall
Perimeter NetworkInterior router
Exterior router
X-site
routerrouter
router
router
router
routerrouter router
router
Bastion Host
Proxy
TCP
Open TCP socket
Accept
Open TCP socket
Accept
TC
P
Router based Firewall
• The firewall will implement the filter() method of the router.
• A packet arriving to a router will first be filtered by filter().
• If the firewall finds forbidden text, filter() drops the packet, otherwise, the router keeps processing the packet.
How does the FW interfere?
URL
• The url requested by the user is in the http request.
• once the firewall sees that it’s a forbidden url - the page is denied.
DATA
• Data which returns from the x-site, if contains forbidden text, might cause denial of page.
What can we do about this?
• Use a mediatorA legal 3rd party to:
–Request the page of the forbidden site.
–Encode our text so it won’t bother the FW.
Local Network Internet(3)
Firewall
(5)X-site
(1)User
(4)our-site
(2)Local Agent
The Players
The Players
• (1) User, who’s platform is on company’s network.• (2) Local agent running on a platform on the company’s
network (possibly the user’s local host)• (3) Firewall on the proxy or router in-out gateway to/from
the internet.• (4) Our-site, a remote proxy, located outside the
company’s network.• (5) X-site, web-site located outside the company’s
network which has a forbidden url.
Local Network Internet(3)
Firewall
(5)X-site
(1)User
(4)our-site
(2)Local Agent
The Players
Local Network Internet
(3)Firewall
(5)X-site
(1)User
FilterFORBIDDEN!
(4)our-site
Got Page!
FilterFilter
Solution 1
• (1) Opens browser
• (1) Inputs location of (4).
• (4)’s url is legal, so (3) forwards the request to (4).
• (4) returns a form to (1).
• (3) is not looking at the data, so it forwards the form to (1).
• (1) inputs the url and submits the form.
• (3) is looking only at destination host (which is legal, in this case), so the submission also is being forwarded to (4).
• A server in (4) processes the form and requests a page from (5).
Firewall only checks outgoing URLs
Solution 1 (cont’)
• (5) responds to (4) with the desired page.
• (4) changes the links in the page so requesting them will invoke the same procedure automatically.
– Before: http://www.x-site.com
– After: http://our-site/cgiScript?site=http://www.x-site.com
• (4) sends the altered page to (1)
• (3) intercepts the page, and forwards it to ( 1).
• (1) gets the desired page.
• If (1) presses a link, the whole procedure occurs automatically, since the link points to (4) (giving the real url as a parameter).
Firewall only checks outgoing URLs
Local Network Internet
(3)Firewall
(5)X-site
(1)User
FilterFORBIDDEN!
(4)our-site
Got Page!
FilterFilter
Local Network Internet
(3)Firewall
(5)X-site
(1)User
(4)our-site
(2)Local-Site
Solution 2 Firewall also checks Response Content
(2) is a web page with an HTML form to input a url for a CGI script operating as a local proxy.(2) is a web page with an HTML form to input a url for a CGI script operating as a local proxy.
Solution 2
• (1) Opens browser.
• (1) Inputs location of (2). Makes http request.
• (2) responds to (1) by sending an HTML form.
• (1) inputs (5)’s url in the form and submits.
• (1)’s submission invokes a CGI script at (2).
• (2) encodes the url field submitted by (1).
• (2) sends the encoded request to (4). – GET http://out-site/cgiScript?site=encodedXSite
• (3) intercepts the http request, sees nothing forbidden and forwards the request.
• (4) get the request and decodes it. Makes a request to (5).
Firewall also checks Response Content
Solution 2 (cont’)
• (5) responds to (4)
• (4) encodes the page it got from (5).
• (4) responds with encoded page to (2).
• (3) processes (4)’s response and finds nothing forbidden in it, and forwards it to (2).
• (2) decodes (4)’s response.
• (2) changes links in the page so choosing a link will operate solution-2 again automatically.
• (2) responds to (1).
• (1) get his page, can continue browsing at forbidden locations.
Firewall also checks Response Content
Local Network Internet
(3)Firewall
(5)X-site
(1)User
(4)our-site
(2)Local-Proxy
Solution 3
Solution 3
• (1) Runs (2).
• (1) Opens browser.
• (1) Configures the browser so that (2) is set as proxy.
• (1) Inputs location of the (5). Makes http request.– GET http://x-site HTTP/1.0
• (2) Captures the request, since (2) is (1)’s proxy.
• (2) Encodes the url field in (1)’s http request.
• (2) Sends the encoded request to (4). – GET http://out-site/cgiScript?site=encodedXSite
• (3) Intercepts the http request, sees nothing forbidden and forwards the request.
• (4) Get the request and decodes it. Makes a request to (5).
(2) is a http proxy which runs inside the company’s network.(2) is a http proxy which runs inside the company’s network.
Solution 3 (cont’)
• (5) Responds to (4)
• (4) Encodes the page it got from (5).
• (4) Responds with encoded page to (2).
• (3) Processes (4)’s response and finds nothing forbidden in it, and forwards it to (2).
• (2) Decodes (4)’s response, and responds to (1).
• (1) Get his page, can continue browsing at forbidden locations.
Pros and Cons of Solutions 2 and 3
• Solution 2– No need to configure
the Browser for a proxy.
– No need to change links at (4)
– Requires a web server and permission to run cgi scripts
• Solution 3– Requires browser
configuration to set (2) as proxy.
– No need to change links at all!
– Occupies a port.
Local NetworkInternet
(3)Firewall
(5)X-site
(1)User
(4)our-site
Solution 4
Mirror
Solution 4 - Mirroring
• (1) Inputs (4)’s url at his browser’s location bar.
• (3) Forwards
• (4) Responds by sending HTML form
• (3) Forwards
• (1) Fills form:– (5)’s url– links depth– freshness
Solution 4 - Mirroring (Cont’)
• (1) Submits form.
• (3) Forwards.
• (4) CGI invoked with parameters from the form.
• (4)’s CGI mirrors (5) according to form’s parameters.
• (4) Responds to (1) with HTML with a link to the mirrored index.html of (5).
• (3) Forwards.
Solution 4 - Mirroring (Cont’)
• (1) Gets page from (4).
• (1) Surfs on (5)’s mirror on (4).
• (3) Won’t interfere because it doesn’t check data.
Local Network Internet
(3)Firewall
(5)X-site
(1)User
Filter
(4)our-site
Got Page!
FilterFilter
(2)local-proxy
Encrypt
Decrypt
DecryptEncrypt
FORBIDDEN!
Solution 5 - Mirroring
• (1) Runs (2)
• (1) Configures browser so (2) is set as proxy
• (1) Inputs (5)’s url at his browser’s location bar with mirror parameters:– http://x-site?depth=Ndepth?lastModified=Ndays
• (2) Intercepts request encodes it and requests to (4).
• (3) Sees encoded url, no-problem, forwards to (4).
• (4) Decodes url, parses parameters (from the end), mirror (5).
Solution 5 - Mirroring (cont’)
• (4) tar.Z - responds to (2).
• (3) Hopefully, understands nothing of (4) response so forwards to (2).
• (2) Uncompress, untar, builds html page with link to mirror’s index.html. Responses this page to (1).
• (1) Uses page to surf mirrored (5).
Pros and Cons of Mirroring
• Pros– Very Fast (!) local
browsing
– One requests might serve many users
– One request is good for many surfs.
• Cons– No mirroring for links
from other sites
– requires large amount of disk space
– Long latency
Technology
• Platform
–Unix - UltraSparc30/SunOS Solaris
Technology
• Programming Language used:
–Perl 5 (Larry Wall)
•for writing CGI scripts, upgrading the WebCopy application, writing local proxy and firewall.
Technology
• Applications used:– Jigsaw web server (by w3c, in Java) - specially
configured for our purposes.– Webcopy mirroring utility (by Victor Parada, in Perl)
- Altered code by us (bug fixes, upgrade).– FWTK (by TIS)– Netscape web browser– Local Proxy, Firewall, CGI scripts (Self made, in Perl
and Java).
Next project improvements to Solution 5Not necessarily in order of importance or ease of implementation
• Prefetching when deepest mirror-link chosen.
• On-Line Prefetching.
• Add-On to popular browser.
Benefits
• Learning Java (+servlets)
• Learning Perl
• Installing and Configuring Jigsaw web-server
• Learning HTML and building a web-site
• Learning CGI programming
• Learning HTTP
• Learning about Firewalls and their behaviour
• Implementing a simple proxy based firewall
• Installing TIS - FWTK
• Working in Unix environment
• Using MS-PowerPoint
Bibliography• Building Internet Firewalls. D. Brent Chapman and Elizabeth D. Zwicky. O’Reilly
Associates, Inc.
• Firewalls and Internet Security. Repelling the Wily Hacker. William R. Cheswick and Steven M. Bellovin. Addison-Wesley Professional Computing Series.
• Http specification: RFC2616
• Jigsaw web server: www.w3.org/jigsaw
• HTML: www.w3.org/markup
• terms: www.whatis.com
• Perl: man perl
• TIS: www.tis.com
• Java: www.java.sun.com
• Unix: man pages
• Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/
• Internetworking with TCP/IP Vol. I: Principles, Protocols, and Architecture by Douglas E. Comer
Information about the project
Project’s site at: http://www.comnet.technion.ac.il/~cn1w00
Available on the web-site:• Project Book
• These slides
• Installation package
• Full source code
Reaching us...
• Roni Ohana– Phone: 04-8203017– Email: ronio@lion.technion.ac.il
• Shlomo Yona– Phone: 04-8202413– Email: shlomo@lion.technion.ac.il