SSL VPN connection multiplexing techniques



Similar documents
Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Chapter 7 Transport-Level Security

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

OS/390 Firewall Technology Overview

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Computer Networks. Secure Systems

Network Security Fundamentals

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Network Security Essentials Chapter 5

Network Access Security. Lesson 10

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

Chapter 17. Transport-Level Security

Introduction to Computer Security

OS/390 Firewall Technology Overview

z/os Firewall Technology Overview

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

CS5008: Internet Computing

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

TLS and SRTP for Skype Connect. Technical Datasheet

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Introduction to Computer Security

Securing Networks with PIX and ASA

Chapter 32 Internet Security

21.4 Network Address Translation (NAT) NAT concept

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Packet Monitor in SonicOS 5.8

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Transport Level Security

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Virtual Private Networks

Lecture 10: Communications Security

GPRS / 3G Services: VPN solutions supported

Firewalls. Chapter 3

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Linux Network Security

How To Understand And Understand The Security Of A Key Infrastructure

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

Dante a BSD licensed SOCKS implementation. Inferno Nettverk A/S. Bergen Linux User Group

Chapter 10. Network Security

Virtual Private Networks

Securing IP Networks with Implementation of IPv6

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Internet Privacy Options

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Transport Layer Security Protocols

SSL VPN. Virtual Private Networks based on Secure Socket Layer. Mario Baldi. Politecnico di Torino. Dipartimento di Automatica e Informatica

File Transfer Protocol (FTP) & SSH

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Overview - Using ADAMS With a Firewall

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Overview - Using ADAMS With a Firewall

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Secure Use of the New NHS Network (N3): Good Practice Guidelines

Stealth OpenVPN and SSH Tunneling Over HTTPS

General Network Security

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

IxLoad - Layer 4-7 Performance Testing of Content Aware Devices and Networks

Internet Protocol: IP packet headers. vendredi 18 octobre 13

LinkProof And VPN Load Balancing

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Cornerstones of Security

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

FortiOS Handbook - Load Balancing VERSION 5.2.2

Cisco Which VPN Solution is Right for You?

Security Technology: Firewalls and VPNs

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Lecture 17 - Network Security

Exam Questions SY0-401

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Cisco PIX vs. Checkpoint Firewall

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

SSL DOES NOT MEAN SOL What if you don t have the server keys?

Topics in Network Security

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

Introduction to Security and PIX Firewall

ETSF10 Part 3 Lect 2

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

Basic Network Configuration

EXPLORER. TFT Filter CONFIGURATION

What I am going to talk about. NAT IPSec and NAT Proxy, Reverse proxy P2P Firewall

Check Point FW-1/VPN-1 NG/FP3

Transcription:

HERVÉ SCHAUER CONSULTANTS Network Security Agency since 1989 Specialized in Unix, Windows, TCP/IP and Internet SSL VPN connection multiplexing techniques Franck Davy <fd@hsc.fr> Agenda IPsec protocol: Standards vs Proprietary and Alternative solutions SSL VPN Port Forwarding techniques SSL VPN Tunnel Management protocols: SSH vs SSL Multiplexing Data Streams with SOCKS Multiplexing with HTTP Tunneling Tunneling filtering Conclusion References - 2 -

Proprietary IPsec Solutions (1) Checkpoint Solution Checkpoint FW-1/VPN-1 Gateway VPN Client software SecuRemote, SecureClient (personal firewall integration) Authorized protocols IKE Protocol: 500/udp & 500/tcp FW-1 Topology: 264/tcp Without NAT : (IP Protocol) ESP: 50 (IP Protocol) FWZ: 94 RDP service (FWZ negociation): 259/udp With NAT : IPSec ESP encapsulated in UDP datagrams: 2746/udp - 3 - Cisco Solution Proprietary IPsec Solutions (2) Concentrator 3000/5000 Gateway, PIX Firewall, IOS VPN VPN Client software Authorized protocols IKE protocol: 500/udp With NAT: (IP Protocol) ESP : 50 Without NAT: NAT-T (IETF Draft) IPSec ESP encapsulated in UDP datagrams: 4500/udp Cisco specific: IPSec ESP encapsulated in UDP flow: 10000/udp IPSec ESP encapsulated in TCP connection: 10000/tcp - 4 -

Proprietary IPsec Solutions (3) - 5 - Proprietary IPsec Solutions (4) IPsec standard protocols are IKE (500/UDP), and AH (51)/ESP (50) IP protocols usually filtered by firewalls or not compatible with private address space (NAT issues): proprietary IPsec and alternative solutions (like VPN based on SSL/TLS protocols) have emerged. SSL is a Netscape specification, TLS an IETF standard (RFC2246). They provide Transport Layer security, i.e. per application security, and not a Network Layer Security: proprietary extensions are still required to provide IPsec equivalent access to resources extensions dealing with data streams multiplexing over a single SSL/TLS session, for instance. - 6 -

SSL VPN application tunneling techniques : Port Forwarding Data streams multiplexing - 7 - Port Forwarding Client Port Forwarding (1) Encrypted/authenticated SSLv3/TLSv1 tunnel between the client and a Gateway Lighweight or native client Each data flow is redirected (wrapped( wrapped) ) inside a dedicated tunnel 8443/TCP HTTP 8110/TCP POP 8494/TCP ICA... SSL/TLS Tunnels, through SSL/TLS Gateway HTTPS proxies via CONNECT method? - 8 - Application Data Limitations regarding UDP based protocols, or dynamic protocols (FTP, RTSP etc.), and ports allocation on the gateway

Port Forwarding (2) Example: starting stunnel in daemon + wrapper modes Server side # stunnel -d 443 -r 10.0.0.1:80 -v 2 -a /etc/ssl/trusted -p stunnel.pem Enter PEM pass phrase: $ netstat -antp grep stunnel tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2401/stunnel Client side $ stunnel -c -r 192.0.2.20:443 -d 8080 -a /etc/ssl/trusted TCP Connection (8080/TCP) TCP Connection (80/TCP) SSL/TLS Tunnel (443/TCP) 192.0.2.10 (mutually) authenticated using certificates 192.0.2.20 Limitation: One tunnel (port) per application No TCP connection multiplexing - 9-10.0.0.1 Port forwarding Port Forwarding (3) - 10 -

Tunnel management protocols (1): SSH vs SSL protocols «SSH Connection Protocol» draft http://www.openssh.org/txt/draft-ietf-secsh-connect-15.txt «SSH is a protocol for secure remote login and other secure network services over an insecure network. This document describes the SSH Connection Protocol. It provides interactive login sessions, remote execution of commands, forwarded TCP/IP connections,, and forwarded X11 connections. All of these channels are multiplexed into a single encrypted tunnel.. The SSH Connection Protocol has been designed to run on top of the SSH transport layer and user authentication protocols.» SSH protocols stacks Connection Protocol User Authentication Protocol Transport Layer Protocol TCP Transport SSH protocol provides tunnel management through «Connection Protocol» layer - 11 - Tunnel management protocols (2): SSH vs SSL protocols SSH tunnel management : On the wire: One TCP connection (22/TCP) Applicative flows relying on TCP transport protocol are wrapped and multiplexed into a single SSH session (and a single TCP connection) > ssh -N -f -2 -L 10143:192.168.0.4:143 \ -L 10389:192.168.0.4:389 \ -L 10080:localhost:80 \ 192.168.0.1 > ~# The following connections are open: #3 client-session (t4 r0 i0/0 o0/0 fd 7/8) #4 direct-tcpip: listening port 10389 for 192.168.0.4 port 389, connect from 127.0.0.1 port 33462 (t4 r1 i0/0 o0/0 fd 10/10) #5 direct-tcpip: listening port 10143 for 192.168.0.4 port 143, connect from 127.0.0.1 port 33463 (t4 r2 i0/0 o0/0 fd 11/11) #6 direct-tcpip: listening port 10080 for localhost port 80, connect from 127.0.0.1 port 33465 (t4 r3 i0/0 o0/0 fd 12/12) - 12 -

Tunnel management protocols (3): SSH vs SSL protocols SSH tunnel management: HTTP POP IMAP SSH Gateway 80/TCP Connection Client Application Data 22/TCP connection SSH Session 110/TCP 143/TCP Connection Connection - 13 - Multiple SSH channels One SSH Session One TCP Connection (22/TCP) SSL/TLS Protocols do not provide a management mechanism for multiple tunnels: they need to rely on a third-part protocol to handle channel management Tunnel management protocols (4): SSH vs SSL protocols Multiplexing data streams protocols Application data????? SSL/TLS Session TCP Transport SOCKS v5 based MUX layer? HTTP encapsulation layer? PPP encapsulation layer? Other proprietary solution? - 14 - Multiplexing performed, on client-side, by Java applets or Active X controls

Tunnel management protocols (5): «SOCKSification» SOCKS (RFC1928): Generic proxy, «shim layer» between application and transport layers 1494/TCP SOCKSified client SOCKS Server ICA HTTP 80/TCP 1080/TCP SSH 22/TCP - 15 - Tunnel management protocols (6): «SOCKSification» SOCKS Protocol example: SOCKSified Client SOCKv5 : Connect to server Request SOCKv5 : Connect to server Request SOCKv5 : Connect Request - Connect 192.0.2.1:1494 SOCKv5 : Remote Port: 1494 Command Response Connect SOCKv5 : Remote Port 1494 ACK [...] SOCKSv5 server TCP Connection Establishment SYN-SYN/ACK-ACK [...] 192.0.2.1 ICA : 1494/TCP SOCKSv5 (RFC1928) protocol supports TCP and UDP based protocols and can (optionally) support SSL/TLS tunneling Use of combined SOCKS + SSL provides UDP and TCP protocols encapsulation and multiplexing, through a SSL/TLS tunnel. - 16 -

Application «SOCKSification» SOCKS protocol natively supported in usual programs (namely browsers) Libraries can intercept connect() system call and SOCKSify applications, without recompiling or modification, providing transparent network access through SOCKS $ echo -n "HEAD / HTTP/1.0\r\n\r\n" strace -econnect nc www.hsc.fr 80 connect(3, {sa_family=af_inet, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 28) = 0 connect(3, {sa_family=af_inet, sin_port=htons(80), sin_addr=inet_addr("192.70.106.33")}, 16) = 0 HTTP/1.0 200 OK [...] Tunnel management protocols (7): «SOCKSification» $ echo -n "HEAD / HTTP/1.0\r\n\r\n" strace -econnect tsocks nc www.hsc.fr 80 connect(3, {sa_family=af_inet, sin_port=htons(53), sin_addr=inet_addr("192.168.0.1")}, 28) = 0 connect(3, {sa_family=af_inet, sin_port=htons(1080), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 HTTP/1.0 200 OK [...] Example: tsocks program transparently proxies applications (TCP establishment), requiring to load /usr/lib/libtsocks.so setting environment variable LD_PRELOAD : $ tsocks -on ; tsocks -sh LD_PRELOAD="/usr/lib/libtsocks.so" - 17 - - 18 - Tunnel management protocols (8): HTTP as «transport layer» An increasingly large number of applications are using HTTP protocol as a transport layer protocol, in order to bypass corporate TCP/IP outbound filtering through HTTP proxies, compliant with HTTP/1.X standards Typically: Real Time Streaming Protocol (RTSP), used for media streaming Several modes are available, based on FTP-like data and control connections Initial version: hybrid mode,, relying on UDP protocol for data streaming (RTP, 554/UDP), and TCP connection for control channel Revised version: TCP-only mode,, for both data and control channels TCP connections are always established from the client «HTTP tunneling» version: : RTSP and RTP channels are tunneled over HTTP. HTTP transport is built from two separate HTTP GET and POST method requests initiated by the client.

Tunnel management protocols (9): HTTP as «transport layer» Taken from http://developer.apple.com/, about QuickTime : «Using standard RTSP/RTP, a single TCP connection can be used to stream a QuickTime presentation to a user. Such a connection is not sufficient to reach users on private IP networks behind firewalls where HTTP proxy servers provide clients with indirect access to the Internet. To reach such clients, QuickTime 4.1 supports the placement of RTSP and RTP data in HTTP requests and replies. As a result, viewers behind firewalls can access QuickTime presentations through HTTP proxy servers.» P2P, IM software and trojans are using HTTP tunneling so can do SSL VPN. - 19 - - 20 - Tunnel management protocols (10): HTTP as «transport layer» HTTP GET and POST methods can carry an indefinite amount of data in their reply (from server) and message body (from client) respectively. POST /SmpDsBhgRl HTTP/1.0 Accept: application/x-rtsp-tunnelled, */* Content-type: application/x-pncmd Content-length: 32767 HTTP/1.0 200 OK Server: RMServer 1.0 Content-type: audio/x-pn-realaudio Content-length: 2147483000 HTTP POST Request 3fe06463-55b0-448d-be04-120bd3cb7a1f 1BUSU9OUyBydHNwOi8vcm[...] HTTP POST Request body : Base64 B encoded RTSP Control channel GET /SmpDsBhgRl3fe06463-55b0-448d-be04-120bd3cb7a1f HTTP/1.0 Accept: application/x-rtsp-tunnelled, */* ClientID: WinNT_5.0_6.0.10.505_play32_RN9GPD_en-US_686_axembed HTTP GET Request X-Actual-URL: rtsp://realserver.domain.tld/videos/20d05122002.rm RTSP/1.0 200 OK HTTP Reply body : Base64 B encoded CSeq: 1 RTSP/RTP Control/Data channel Date: Mon, 06 Dec 1999 08:13:01 GMT Server: RealServer Version 6.1.3.946 (sunos-5.6-sparc) Public: OPTIONS, DESCRIBE, ANNOUNCE, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN StatsMask: 3 [...]

Tunnel management protocols (11): HTTP as «transport layer» SSL VPN: Example of Telnet protocol 8 15 0.2118 (0.0017) S>C application_data 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 7 16 1.0181 (0.2172) S>C application_data 03 00 00 02 00 6c 00 0d 0a 58 58 58 58 58 58 58...l...XXXXXXX 2e XX XX XX XX XX XX XX XX 2f 4f 70 65 6e 56 69.XXXXXXXX/OpenVi 65 77 20 5b 48 50 2d 55 58 20 42 2e 31 30 2e 32 ew [HP-UX B.10.2 30 5d 0d 0a XX XX XX XX XX XX XX XX XX 20 20 20 0]..XXXXXXXXX 0a 0d 0a... 8 16 0.3637 (0.1518) C>S application_data POST /id/param?channel=12345 HTTP/1.1 8 17 0.3638 (0.0000) C>S application_data 01 02 07 00 01 00 04 00 00 02 00... 8 18 0.3654 (0.0016) S>C application_data 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 7 17 1.0467 (0.0286) S>C application_data 03 00 00 03 00 07 00 6c 6f 67 69 6e 3a 20...login: Decrypted with SSLDump (http://www.rtfm.com/ssldump) with RSA private key and RSA static key exchange protocol i.e. no PFS. - 21 - - 22 - Tunnel management protocols (12): HTTP as «transport layer» 7 55 7.5653 (0.0100) S>C application_data 03 00 00 29 00 09 00 50 61 73 73 77 6f 72 64 3a...)...Password: 8 247 8.2791 (1.3847) C>S application_data POST /id/param?channel=12345 HTTP/1.1 8 248 8.2792 (0.0001) C>S application_data 01 02 08 00 01 00 06 00 00 01 00 48...H 8 249 8.2805 (0.0013) S>C application_data 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 8 250 8.3970 (0.1165) C>S application_data POST /id/param?channel=12345 HTTP/1.1 8 251 8.3972 (0.0001) C>S application_data 01 02 08 00 01 00 06 00 00 01 00 53...S 8 252 8.3991 (0.0019) S>C application_data 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. 8 253 8.4816 (0.0825) C>S application_data POST /id/param?channel=12345 HTTP/1.1 8 254 8.4817 (0.0001) C>S application_data 01 02 08 00 01 00 06 00 00 01 00 43...C 8 255 8.4834 (0.0016) S>C application_data 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK. [...] 7 57 11.8551 (0.0084) S>C application_data 03 00 00 2b 00 18 00 4c 6f 67 69 6e 20 69 6e 63...+...Login inc 6f 72 72 65 63 74 0d 0a 6c 6f 67 69 6e 3a 20 orrect..login: 4 42 21.6266 (18.4522) C>S Alert warning close_notify 4 21.6266 (0.0000) C>S TCP FIN 3 112 25.2973 (19.8016) C>S Alert warning close_notify 3 25.2973 (0.0000) C>S TCP FIN 4 RFC2616 21.6275 (0.0009) and 2246 S>C Compliant, TCP FIN but HTTP POST Request for each input letter (no echo) HTTPS Tunneling HTTP Tunneling over SSL/TLS Tunnel RFC2616 and 2246 Compliant, but security policy compliant?

HTTP Tunneling Filtering (1): HTTP,an asymmetric protocol Asymmetric HTTP exchanges HTTP Request includes a request-line, (optional) header fields and (optional) body when POST HTTP method is used to submit data to a CGI HTTP Response contains data: Content-Length header indicates the size of the entity-body $ echo -e "GET / HTTP/1.0\r\n\r\n" nc www.hsc.fr 80 HTTP/1.1 200 OK [...] Content-Length: 57445 Connection: close <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML lang="fr"> [...] Y-AXIS : TCP segment length (SUM) HTTP Server flow (www.hsc.fr) HTTP Client flow - 23 - HTTP Tunneling Filtering (2): HTTPS traffic analysis (Packets count) HTTPS == HTTP over SSL/TLS Preliminary HandShake protocol: : negociation of SSL/TLS cryptographic parameters Application data (HTTP) transmission PACKETS/TICK SSL/TLS Handshake protocol HTTP Server flow (www.hsc.fr) HTTP Client flow Application data (Many CCS messages) Alert protocol - 24 -

HTTP Tunneling Filtering (3): HTTPS traffic analysis (Bytes count) SSL/TLS (full) Handshake protocol Application data BYTES/TICK HTTP Server flow (www.hsc.fr) HTTP Client flow TCP SYN SEGMENT(S) TCP FIN/RST SEGMENT(S) - 25 - HTTP Tunneling Filtering (4): Download over HTTPS HTTP Server flow HTTP Client flow PACKETS/TICK TCP Connection Duration BYTES/TICK - 26 -

HTTP Tunneling Filtering (5): SSL VPN traffic analysis (bytes count) BYTES/TICK Interactive protocol inside SSL VPN Tunnel : command-line SSH, and execution of Unix shell commands (ls, mutt, top etc. with echoing and Nagle algorithm) HTTP Server flow HTTP Client flow TCP connection and SSL tunnel initialization - 27 - HTTP Tunneling Filtering (6): SSL VPN traffic analysis (bytes count) BYTES/TICK Web browsing inside a SSL VPN Tunnel no TCP signalling, ie no connection establishment and clearing HTTP Server flow HTTP Client flow User inactivity period (TCP( connection persistency, bursts due to SSL VPN and SSH KeepAlive messages) - 28 -

SSL VPN traffic analysis (7) TCP Connections establishment and clearing HTTPS Browsing (brief) analysis In 50s : 56 HTTP Requests 1 SSL/TLS session 14 TCP Connections with resume handshakes No session in HTTP HTTP 1.1 Keep-Alive mechanism SSL VPN analysis (PPP over SSL model) In 300s: 1 SSL/TLS session 1 TCP Connection (manually closed) Unpredictable network behavior TCP SYN SEGMENT(S) TCP FIN SEGMENT(S) - 29 - HTTP Tunneling Filtering (8): Tools for SSL/TLS tunnel detection TCPStatFlow http://www.geocities.com/fryxar/ Analyze TCP connections uptime, amount of inbound and outbound data Raise an alarm when a threshold is reached : Cumulative threshold (regarding bytes, number of packets) Duration threshold (time) $./tcpstatflow[2704]: looking for handler for datalink type 1 for interface eth2./tcpstatflow[2704]: listening on eth2 [...]./tcpstatflow[2704]: Detecting a new flow: 80.65.225.196:3240->192.168.254.1:443./tcpstatflow[2704]: 80.65.225.196:3240->192.168.254.1:443: new flow./tcpstatflow[2704]: Detecting a new flow: 192.168.254.1:33122->66.249.85.104:80./tcpstatflow[2704]: 192.168.254.1:33122->66.249.85.104:80: new flow./tcpstatflow[2704]: Detecting a new flow: 192.168.254.1:33123->66.249.85.104:80./tcpstatflow[2704]: 192.168.254.1:33123->66.249.85.104:80: new flow./tcpstatflow[2704]: Detecting a new flow: 192.168.254.1:33124->66.249.85.104:80./tcpstatflow[2704]: 192.168.254.1:33124->66.249.85.104:80: new flow [...] Potencial tunnel = 80.65.225.196:3240->192.168.254.1:443: packets rx=575 tx=548, bytes rx=69000 tx=50092, seconds=96-30 -

Conclusion There is no standard, only proprietary solutions. HTTP(S) Tunneling through CONNECT HTTP method, or pure GET/POST Requests wrapping is currently the best way to provide connectivity through HTTPS proxies and bypass firewalls...... however, tunneling techniques are also implemented by P2P or IM software. In the future (?), security policies should be enforced by border equipments not only with static or dynamic IP filtering, but also with statistical techniques. - 31 - References HSC tips and presentations http://hsc.fr Ethereal A Network Protocol Analyzer http://ethereal.com SSLDump http://www.rtfm.com/ssldump/ TCPStatFlow http://geocities.com/fryxar/ Gray-World.NET Unusual firewall bypassing techniques, network and computer security. http://gray-world.net - 32 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information