Transcript Project Presentation

Stealth project - ‫פרוייקט החמקן‬
Roni Ohana
Shlomo Yona
Instructor: Youval Nachum
Comnet Lab - Electrical Engineering Faculty
Technion - Israel Institute of Technology
Project Goal
Enable a monitored company
user surf to forbidden sites
located outside company’s
network.
Description
A legal site will relay
information between the user
and the forbidden site.
X-site
User
Local Network
Internet
Legal-site
Firewall
Consider the following situation
•User is able to surf to a
legal site.
•User is blocked by a
firewall while trying to
access an illegal site.
Some more details
• User sends http request for a page at the forbidden site (X-site) and
waits until response returns.
• Firewall intercepts request and checks for forbidden url in the request.
• If forbidden url found: User gets some error notification. And the
request is no longer being processed.
• Else, FW forwards the request to the x-site and wait until response
returns.
• Upon receiving the request, X-site responses by returning the
requested page.
• FW may check for forbidden text in the response.
• If forbidden text found - send FORBIDDEN to the user.
• Else, return the page to the user.
Proxy
router
router
router
router
X-site
router
router
router
The Internet
router
router
Open TCP socket
Exterior router
Bastion Host
Perimeter Network
Interior router
Proxy Firewall
Internal Network
Open TCP socket
Proxy based firewall
• On http level, a TCP connection will open
from client to the proxy-Firewall and
another TCP connection will open from the
proxy-Firewall to the destination (either
direct, or using another proxy).
• When N proxies are involved there will be
N+2-1 TCP connections (counting source
and destination too)
Proxy
router
router
router
router
X-site
router
router
The Internet
router
Exterior router
router
router
Bastion Host
Perimeter Network
Interior router
Screening Router Firewall
Internal Network
Open TCP socket
Router based Firewall
• The firewall will implement the filter()
method of the router.
• A packet arriving to a router will first be
filtered by filter().
• If the firewall finds forbidden text, filter()
drops the packet, otherwise, the router
keeps processing the packet.
How does the FW interfere?
URL
• The url requested by the user is in the http
request.
• once the firewall sees that it’s a forbidden url
- the page is denied.
DATA
• Data which returns from the x-site, if contains
forbidden text, might cause denial of page.
What can we do about this?
• Use a mediator
A legal 3rd party to:
–Request the page of the
forbidden site.
–Encode our text so it won’t
bother the FW.
The Players
(1)
User
(5)
X-site
Internet
Local Network
(2)
Local Agent
(3)
Firewall
(4)
our-site
The Players
• (1) User, who’s platform is on company’s network.
• (2) Local agent running on a platform on the company’s
network (possibly the user’s local host)
• (3) Firewall on the proxy or router in-out gateway to/from
the internet.
• (4) Our-site, a remote proxy, located outside the
company’s network.
• (5) X-site, web-site located outside the company’s
network which has a forbidden url.
The Players
(1)
User
(5)
X-site
Internet
Local Network
(2)
Local Agent
(3)
Firewall
(4)
our-site
(1)
User
(5)
X-site
Local Network
Internet
(4)
our-site
(3)
Firewall
Solution 1
•
•
•
•
•
•
•
Firewall only checks outgoing URLs
(1) Opens browser
(1) Inputs location of (4).
(4)’s url is legal, so (3) forwards the request to (4).
(4) returns a form to (1).
(3) is not looking at the data, so it forwards the form to (1).
(1) inputs the url and submits the form.
(3) is looking only at destination host (which is legal, in
this case), so the submission also is being forwarded to (4).
• A server in (4) processes the form and requests a page
from (5).
Solution 1 (cont’)
Firewall only checks outgoing URLs
• (5) responds to (4) with the desired page.
• (4) changes the links in the page so requesting them will
invoke the same procedure automatically.
– Before: http://www.x-site.com
– After: http://our-site/cgiScript?site=http://www.xsite.com
• (4) sends the altered page to (1)
• (3) intercepts the page, and forwards it to ( 1).
• (1) gets the desired page.
• If (1) presses a link, the whole procedure occurs
automatically, since the link points to (4) (giving the real
url as a parameter).
(1)
User
(5)
X-site
Local Network
Internet
(4)
our-site
(3)
Firewall
Solution 2
Firewall also checks Response Content
(1)
User
(5)
X-site
Local Network
Internet
(2)
Local-Site
(4)
our-site
(3)
Firewall
Firewall also checks Response Content
Solution 2
(2) is a web page with an HTML form to input a url for a CGI script operating as a local proxy.
•
•
•
•
•
•
•
(1) Opens browser.
(1) Inputs location of (2). Makes http request.
(2) responds to (1) by sending an HTML form.
(1) inputs (5)’s url in the form and submits.
(1)’s submission invokes a CGI script at (2).
(2) encodes the url field submitted by (1).
(2) sends the encoded request to (4).
– GET http://out-site/cgiScript?site=encodedXSite
• (3) intercepts the http request, sees nothing forbidden and
forwards the request.
• (4) get the request and decodes it. Makes a request to (5).
Firewall also checks Response Content
Solution 2 (cont’)
•
•
•
•
•
•
•
•
(5) responds to (4)
(4) encodes the page it got from (5).
(4) responds with encoded page to (2).
(3) processes (4)’s response and finds nothing forbidden in it, and
forwards it to (2).
(2) decodes (4)’s response.
(2) changes links in the page so choosing a link will operate solution-2
again automatically.
(2) responds to (1).
(1) get his page, can continue browsing at forbidden locations.
Solution 3
(1)
User
(5)
X-site
Local Network
Internet
(2)
Local-Proxy
(4)
our-site
(3)
Firewall
Solution 3
(2) is a http proxy which runs inside the company’s network.
•
•
•
•
(1) Runs (2).
(1) Opens browser.
(1) Configures the browser so that (2) is set as proxy.
(1) Inputs location of the (5). Makes http request.
– GET http://x-site HTTP/1.0
• (2) Captures the request, since (2) is (1)’s proxy.
• (2) Encodes the url field in (1)’s http request.
• (2) Sends the encoded request to (4).
– GET http://out-site/cgiScript?site=encodedXSite
• (3) Intercepts the http request, sees nothing forbidden and
forwards the request.
• (4) Get the request and decodes it. Makes a request to (5).
Solution 3 (cont’)
•
•
•
•
(5) Responds to (4)
(4) Encodes the page it got from (5).
(4) Responds with encoded page to (2).
(3) Processes (4)’s response and finds nothing
forbidden in it, and forwards it to (2).
• (2) Decodes (4)’s response, and responds to (1).
• (1) Get his page, can continue browsing at
forbidden locations.
Pros and Cons of Solutions 2 and 3
• Solution 2
– No need to configure
the Browser for a
proxy.
– No need to change
links at (4)
– Requires a web server
and permission to run
cgi scripts
• Solution 3
– Requires browser
configuration to set (2)
as proxy.
– No need to change
links at all!
– Occupies a port.
Solution 4
(1)
User
Local Network
(5)
X-site
Internet
(4)
our-site
(3)
Firewall
Mirror
Solution 4 - Mirroring
•
•
•
•
•
(1) Inputs (4)’s url at his browser’s location bar.
(3) Forwards
(4) Responds by sending HTML form
(3) Forwards
(1) Fills form:
– (5)’s url
– links depth
– freshness
Solution 4 - Mirroring (Cont’)
•
•
•
•
(1) Submits form.
(3) Forwards.
(4) CGI invoked with parameters from the form.
(4)’s CGI mirrors (5) according to form’s
parameters.
• (4) Responds to (1) with HTML with a link to the
mirrored index.html of (5).
• (3) Forwards.
Solution 4 - Mirroring (Cont’)
• (1) Gets page from (4).
• (1) Surfs on (5)’s mirror on (4).
• (3) Won’t interfere because it doesn’t check data.
(1)
User
(5)
X-site
Local Network
Internet
(2)
local-proxy
(4)
our-site
(3)
Firewall
Solution 5 - Mirroring
• (1) Runs (2)
• (1) Configures browser so (2) is set as proxy
• (1) Inputs (5)’s url at his browser’s location bar with
mirror parameters:
– http://x-site?depth=Ndepth?lastModified=Ndays
• (2) Intercepts request encodes it and requests to (4).
• (3) Sees encoded url, no-problem, forwards to (4).
• (4) Decodes url, parses parameters (from the end),
mirror (5).
Solution 5 - Mirroring (cont’)
• (4) tar.Z - responds to (2).
• (3) Hopefully, understands nothing of (4)
response so forwards to (2).
• (2) Uncompress, untar, builds html page with
link to mirror’s index.html. Responses this page
to (1).
• (1) Uses page to surf mirrored (5).
Pros and Cons of Mirroring
• Pros
– Very Fast (!) local
browsing
– One requests might
serve many users
– One request is good for
many surfs.
• Cons
– No mirroring for links
from other sites
– requires large amount
of disk space
– Long latency
Technology
• Platform
–Unix - UltraSparc30/SunOS
Solaris
Technology
• Programming Language used:
–Perl 5 (Larry Wall)
•for writing CGI scripts,
upgrading the WebCopy
application, writing local proxy
and firewall.
Technology
• Applications used:
– Jigsaw web server (by w3c, in Java) - specially
configured for our purposes.
– Webcopy mirroring utility (by Victor Parada, in Perl) Altered code by us (bug fixes, upgrade).
– FWTK (by TIS)
– Netscape web browser
– Local Proxy, Firewall, CGI scripts (Self made, in Perl
and Java).
Next project improvements to Solution 5
Not necessarily in order of importance or ease of implementation
• Prefetching when deepest
mirror-link chosen.
• On-Line Prefetching.
• Add-On to popular browser.
Benefits
•
•
•
•
•
•
•
•
•
•
•
Learning Java (+servlets)
Learning Perl
Installing and Configuring Jigsaw web-server
Learning HTML and building a web-site
Learning CGI programming
Learning HTTP
Learning about Firewalls and their behaviour
Implementing a simple proxy based firewall
Installing TIS - FWTK
Working in Unix environment
Using MS-PowerPoint
Bibliography
•
•
•
•
•
•
•
•
•
•
•
•
Building Internet Firewalls. D. Brent Chapman and Elizabeth D. Zwicky. O’Reilly
Associates, Inc.
Firewalls and Internet Security. Repelling the Wily Hacker. William R. Cheswick and
Steven M. Bellovin. Addison-Wesley Professional Computing Series.
Http specification: RFC2616
Jigsaw web server:
www.w3.org/jigsaw
HTML:
www.w3.org/markup
terms:
www.whatis.com
Perl:
man perl
TIS:
www.tis.com
Java:
www.java.sun.com
Unix:
man pages
Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/
Internetworking with TCP/IP Vol. I: Principles, Protocols, and Architecture by Douglas E.
Comer
Information about the project
Project’s site at:
http://www.comnet.technion.ac.il/~cn1w00
Available on the web-site:
•
•
•
•
Project Book
These slides
Installation package
Full source code
Reaching us...
• Roni Ohana
– Phone: 04-8203017
– Email: [email protected]
• Shlomo Yona
– Phone: 04-8202413
– Email: [email protected]