Download - Stealth project - פרוייקט החמקן
![Page 1: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/1.jpg)
Stealth project - פרוייקט החמקן
Roni Ohana Shlomo Yona
Instructor: Youval Nachum
Comnet Lab - Electrical Engineering Faculty
Technion - Israel Institute of Technology
![Page 2: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/2.jpg)
Project Goal
Enable a monitored company user surf to forbidden sites located outside company’s network.
![Page 3: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/3.jpg)
Description
A legal site will relay information between the user
and the forbidden site.
![Page 4: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/4.jpg)
Local Network Internet
Firewall
X-siteUser
Filter
FORBIDDEN!
Legal-site
![Page 5: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/5.jpg)
Consider the following situation
•User is able to surf to a legal site.
•User is blocked by a firewall while trying to access an illegal site.
![Page 6: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/6.jpg)
Some more details• User sends http request for a page at the forbidden site (X-site) and
waits until response returns.• Firewall intercepts request and checks for forbidden url in the request.• If forbidden url found: User gets some error notification. And the
request is no longer being processed.
• Else, FW forwards the request to the x-site and wait until response returns.
• Upon receiving the request, X-site responses by returning the requested page.
• FW may check for forbidden text in the response.
• If forbidden text found - send FORBIDDEN to the user.
• Else, return the page to the user.
![Page 7: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/7.jpg)
The Internet
Internal Network
Proxy Firewall
Perimeter NetworkInterior router
Exterior router
X-site
routerrouter
router
router
router
routerrouter router
router
Bastion Host
Proxy
TCP
Open TCP socket
Accept
Open TCP socket
Accept
TC
P
TCP
Accept
Open TCP socket
![Page 8: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/8.jpg)
Proxy based firewall
• On http level, a TCP connection will open from client to the proxy-Firewall and another TCP connection will open from the proxy-Firewall to the destination (either direct, or using another proxy).
• When N proxies are involved there will be N+2-1 TCP connections (counting source and destination too)
![Page 9: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/9.jpg)
The Internet
Internal Network
Screening Router Firewall
Perimeter NetworkInterior router
Exterior router
X-site
routerrouter
router
router
router
routerrouter router
router
Bastion Host
Proxy
TCP
Open TCP socket
Accept
Open TCP socket
Accept
TC
P
![Page 10: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/10.jpg)
Router based Firewall
• The firewall will implement the filter() method of the router.
• A packet arriving to a router will first be filtered by filter().
• If the firewall finds forbidden text, filter() drops the packet, otherwise, the router keeps processing the packet.
![Page 11: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/11.jpg)
How does the FW interfere?
URL
• The url requested by the user is in the http request.
• once the firewall sees that it’s a forbidden url - the page is denied.
DATA
• Data which returns from the x-site, if contains forbidden text, might cause denial of page.
![Page 12: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/12.jpg)
What can we do about this?
• Use a mediatorA legal 3rd party to:
–Request the page of the forbidden site.
–Encode our text so it won’t bother the FW.
![Page 13: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/13.jpg)
Local Network Internet(3)
Firewall
(5)X-site
(1)User
(4)our-site
(2)Local Agent
The Players
![Page 14: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/14.jpg)
The Players
• (1) User, who’s platform is on company’s network.• (2) Local agent running on a platform on the company’s
network (possibly the user’s local host)• (3) Firewall on the proxy or router in-out gateway to/from
the internet.• (4) Our-site, a remote proxy, located outside the
company’s network.• (5) X-site, web-site located outside the company’s
network which has a forbidden url.
![Page 15: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/15.jpg)
Local Network Internet(3)
Firewall
(5)X-site
(1)User
(4)our-site
(2)Local Agent
The Players
![Page 16: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/16.jpg)
![Page 17: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/17.jpg)
Local Network Internet
(3)Firewall
(5)X-site
(1)User
FilterFORBIDDEN!
(4)our-site
Got Page!
FilterFilter
![Page 18: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/18.jpg)
Solution 1
• (1) Opens browser
• (1) Inputs location of (4).
• (4)’s url is legal, so (3) forwards the request to (4).
• (4) returns a form to (1).
• (3) is not looking at the data, so it forwards the form to (1).
• (1) inputs the url and submits the form.
• (3) is looking only at destination host (which is legal, in this case), so the submission also is being forwarded to (4).
• A server in (4) processes the form and requests a page from (5).
Firewall only checks outgoing URLs
![Page 19: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/19.jpg)
Solution 1 (cont’)
• (5) responds to (4) with the desired page.
• (4) changes the links in the page so requesting them will invoke the same procedure automatically.
– Before: http://www.x-site.com
– After: http://our-site/cgiScript?site=http://www.x-site.com
• (4) sends the altered page to (1)
• (3) intercepts the page, and forwards it to ( 1).
• (1) gets the desired page.
• If (1) presses a link, the whole procedure occurs automatically, since the link points to (4) (giving the real url as a parameter).
Firewall only checks outgoing URLs
![Page 20: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/20.jpg)
Local Network Internet
(3)Firewall
(5)X-site
(1)User
FilterFORBIDDEN!
(4)our-site
Got Page!
FilterFilter
![Page 21: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/21.jpg)
Local Network Internet
(3)Firewall
(5)X-site
(1)User
(4)our-site
(2)Local-Site
Solution 2 Firewall also checks Response Content
![Page 22: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/22.jpg)
(2) is a web page with an HTML form to input a url for a CGI script operating as a local proxy.(2) is a web page with an HTML form to input a url for a CGI script operating as a local proxy.
Solution 2
• (1) Opens browser.
• (1) Inputs location of (2). Makes http request.
• (2) responds to (1) by sending an HTML form.
• (1) inputs (5)’s url in the form and submits.
• (1)’s submission invokes a CGI script at (2).
• (2) encodes the url field submitted by (1).
• (2) sends the encoded request to (4). – GET http://out-site/cgiScript?site=encodedXSite
• (3) intercepts the http request, sees nothing forbidden and forwards the request.
• (4) get the request and decodes it. Makes a request to (5).
Firewall also checks Response Content
![Page 23: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/23.jpg)
Solution 2 (cont’)
• (5) responds to (4)
• (4) encodes the page it got from (5).
• (4) responds with encoded page to (2).
• (3) processes (4)’s response and finds nothing forbidden in it, and forwards it to (2).
• (2) decodes (4)’s response.
• (2) changes links in the page so choosing a link will operate solution-2 again automatically.
• (2) responds to (1).
• (1) get his page, can continue browsing at forbidden locations.
Firewall also checks Response Content
![Page 24: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/24.jpg)
Local Network Internet
(3)Firewall
(5)X-site
(1)User
(4)our-site
(2)Local-Proxy
Solution 3
![Page 25: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/25.jpg)
Solution 3
• (1) Runs (2).
• (1) Opens browser.
• (1) Configures the browser so that (2) is set as proxy.
• (1) Inputs location of the (5). Makes http request.– GET http://x-site HTTP/1.0
• (2) Captures the request, since (2) is (1)’s proxy.
• (2) Encodes the url field in (1)’s http request.
• (2) Sends the encoded request to (4). – GET http://out-site/cgiScript?site=encodedXSite
• (3) Intercepts the http request, sees nothing forbidden and forwards the request.
• (4) Get the request and decodes it. Makes a request to (5).
(2) is a http proxy which runs inside the company’s network.(2) is a http proxy which runs inside the company’s network.
![Page 26: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/26.jpg)
Solution 3 (cont’)
• (5) Responds to (4)
• (4) Encodes the page it got from (5).
• (4) Responds with encoded page to (2).
• (3) Processes (4)’s response and finds nothing forbidden in it, and forwards it to (2).
• (2) Decodes (4)’s response, and responds to (1).
• (1) Get his page, can continue browsing at forbidden locations.
![Page 27: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/27.jpg)
Pros and Cons of Solutions 2 and 3
• Solution 2– No need to configure
the Browser for a proxy.
– No need to change links at (4)
– Requires a web server and permission to run cgi scripts
• Solution 3– Requires browser
configuration to set (2) as proxy.
– No need to change links at all!
– Occupies a port.
![Page 28: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/28.jpg)
Local NetworkInternet
(3)Firewall
(5)X-site
(1)User
(4)our-site
Solution 4
Mirror
![Page 29: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/29.jpg)
Solution 4 - Mirroring
• (1) Inputs (4)’s url at his browser’s location bar.
• (3) Forwards
• (4) Responds by sending HTML form
• (3) Forwards
• (1) Fills form:– (5)’s url– links depth– freshness
![Page 30: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/30.jpg)
Solution 4 - Mirroring (Cont’)
• (1) Submits form.
• (3) Forwards.
• (4) CGI invoked with parameters from the form.
• (4)’s CGI mirrors (5) according to form’s parameters.
• (4) Responds to (1) with HTML with a link to the mirrored index.html of (5).
• (3) Forwards.
![Page 31: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/31.jpg)
Solution 4 - Mirroring (Cont’)
• (1) Gets page from (4).
• (1) Surfs on (5)’s mirror on (4).
• (3) Won’t interfere because it doesn’t check data.
![Page 32: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/32.jpg)
![Page 33: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/33.jpg)
Local Network Internet
(3)Firewall
(5)X-site
(1)User
Filter
(4)our-site
Got Page!
FilterFilter
(2)local-proxy
Encrypt
Decrypt
DecryptEncrypt
FORBIDDEN!
![Page 34: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/34.jpg)
Solution 5 - Mirroring
• (1) Runs (2)
• (1) Configures browser so (2) is set as proxy
• (1) Inputs (5)’s url at his browser’s location bar with mirror parameters:– http://x-site?depth=Ndepth?lastModified=Ndays
• (2) Intercepts request encodes it and requests to (4).
• (3) Sees encoded url, no-problem, forwards to (4).
• (4) Decodes url, parses parameters (from the end), mirror (5).
![Page 35: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/35.jpg)
Solution 5 - Mirroring (cont’)
• (4) tar.Z - responds to (2).
• (3) Hopefully, understands nothing of (4) response so forwards to (2).
• (2) Uncompress, untar, builds html page with link to mirror’s index.html. Responses this page to (1).
• (1) Uses page to surf mirrored (5).
![Page 36: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/36.jpg)
Pros and Cons of Mirroring
• Pros– Very Fast (!) local
browsing
– One requests might serve many users
– One request is good for many surfs.
• Cons– No mirroring for links
from other sites
– requires large amount of disk space
– Long latency
![Page 37: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/37.jpg)
Technology
• Platform
–Unix - UltraSparc30/SunOS Solaris
![Page 38: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/38.jpg)
Technology
• Programming Language used:
–Perl 5 (Larry Wall)
•for writing CGI scripts, upgrading the WebCopy application, writing local proxy and firewall.
![Page 39: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/39.jpg)
Technology
• Applications used:– Jigsaw web server (by w3c, in Java) - specially
configured for our purposes.– Webcopy mirroring utility (by Victor Parada, in Perl)
- Altered code by us (bug fixes, upgrade).– FWTK (by TIS)– Netscape web browser– Local Proxy, Firewall, CGI scripts (Self made, in Perl
and Java).
![Page 40: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/40.jpg)
Next project improvements to Solution 5Not necessarily in order of importance or ease of implementation
• Prefetching when deepest mirror-link chosen.
• On-Line Prefetching.
• Add-On to popular browser.
![Page 41: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/41.jpg)
Benefits
• Learning Java (+servlets)
• Learning Perl
• Installing and Configuring Jigsaw web-server
• Learning HTML and building a web-site
• Learning CGI programming
• Learning HTTP
• Learning about Firewalls and their behaviour
• Implementing a simple proxy based firewall
• Installing TIS - FWTK
• Working in Unix environment
• Using MS-PowerPoint
![Page 42: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/42.jpg)
Bibliography• Building Internet Firewalls. D. Brent Chapman and Elizabeth D. Zwicky. O’Reilly
Associates, Inc.
• Firewalls and Internet Security. Repelling the Wily Hacker. William R. Cheswick and Steven M. Bellovin. Addison-Wesley Professional Computing Series.
• Http specification: RFC2616
• Jigsaw web server: www.w3.org/jigsaw
• HTML: www.w3.org/markup
• terms: www.whatis.com
• Perl: man perl
• TIS: www.tis.com
• Java: www.java.sun.com
• Unix: man pages
• Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/
• Internetworking with TCP/IP Vol. I: Principles, Protocols, and Architecture by Douglas E. Comer
![Page 43: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/43.jpg)
Information about the project
Project’s site at: http://www.comnet.technion.ac.il/~cn1w00
Available on the web-site:• Project Book
• These slides
• Installation package
• Full source code
![Page 44: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/44.jpg)
Reaching us...
• Roni Ohana– Phone: 04-8203017– Email: [email protected]
• Shlomo Yona– Phone: 04-8202413– Email: [email protected]
![Page 45: Stealth project - פרוייקט החמקן](https://reader035.vdocument.in/reader035/viewer/2022062423/56814d70550346895dbac576/html5/thumbnails/45.jpg)