Punching holes into firewalls
or "Why firewalls shouldn't be considered a ultimate weapon for
network security"
or "Secure TCP-into-HTTP tunnelling guide"
Introduction
Firewalls are heavily used to secure private networks (home or
corporate). Usually, they are used to protect the network from:
- intrusions from outsiders
- misuse from insiders
In a TCP/IP environment, the typical corporate firewall
configuration is to block everything (both incoming and
outgoing), and give access to the internet only through a HTTP
proxy. The proxy usually has filtering capabilities (censors URLs
and file types), and access to the proxy often requires credentials
(login/password). This gives greater contol to the network
administrator over what and who is going in and out of the
network.
Still, this should not considered a ultimate weapon, and
network administrators should not rely on the firewalls
only.
Encapsulation is the basis of networking. For example,
HTTP is encapsulated by TCP, TCP is encapsulated by IP, and IP is
often encapsulated in PPP or Ethernet.
Encapsulating protocols in an unsual way is often reffered as
tunnelling.
As soon as you let a single protocol out, tunelling allows to
let anything go through this protocol, and thus through the
firewall.
This paper demonstrates how to encapsulate any TCP-based
protocol (SMTP, POP3, NNTP, telnet...) into HTTP, thus bypassing
the firewall protection/censorship (depending on your point of
view)
A word of warning:
In many countries and
corporate environments, bypassing a firewall is forbidden and
exposes you to sanctions, redundancy, legal proceedings and - in
some countries - death penalty.
You are warned.
Nevertheless, in some countries this kind of firewall/proxy
bypassing is the only way to ensure free speech (such as China or
United Arab Emirates where the government severly censors the
internet and where firewall bypassing is a national sport.)
Now you known what you're doing, let's move on.
The problem
Say you want to fetch your mail from your ISP mail server. You
usually simply connect to port 110 on the POP server of your
ISP.
Trouble: there is a Big Bad firewall which blocks
everything.
Well... it does not exactly block everything: it lets
HTTP out through a proxy.
Let's encapsulate our POP3 connection into HTTP.
The tools
We need:
- A computer on the internet which has unrestricted access
to the internet, such as a home ADSL computer.
- GNU HTTP Tunnel (http://www.nocrew.org/software/httptunnel.html).
It encapsulates TCP into HTTP requests.
- SSH is a secure shell (http://www.openssh.com). It provides
secure (and compressed) channels between two hosts using SSL.
Besides providing a shell (like telnet), it also provides file copy
(scp) and TCP port forwarding (tunnelling). We will use the port
forwarding feature.
Why not use GNU HTTP Tunnel alone ?
In principle, only HTTP Tunnel is necessary. But this is not
desirable:
- the tunnel is public: anyone can use your tunnel. Your could be
held liable for what anybody has done with your tunnel.
- the tunnel is cleartext: anyone can spy on your connection.
Your passwords (SMTP, POP3, telnet...) are transmitted in clear
text.
- the tunnel is not protected: anyone can alter the
datastream.
- you have to run a new instance of the HTTP Tunnel client
and the server for each new tunnel you want to set
up.
This is where ssh come in. ssh provides:
- authentication (only authorised users can use the tunnel)
- privacy (no one can spy on what's going through the
tunnel)
- integrity (no one can tamper data going through the
tunnel)
- easy tunnel set-up (you can create a new tunnel with a single
ssh command on the client side).
These tools are available on Unix/Linux and Windows
environments.
The whole chain
Let's see how this works. Here is the full chain:
Technically speaking, once this chain is
established, connecting to OfficeComputer:800 is identical to
connecting to pop3server:110.
The mail client will not see the difference.
- On the office computer:
- TCP data sent to port 800 is encrypted by ssh, which forwards
data to port 900.
- ssh stream sent to port 900 is chunked in individual HTTP
requests by the HTTP Tunnel client and sent to the home computer
through the proxy.
- On the home computer:
- the HTTP Tunnel server receives HTTP requests, decapsulates and
re-assembles the ssh stream and forwards it to port 22 (to the ssh
server).
- the ssh server decrypts the datastream and forwards it to the
pop3server on port 110.
As TCP is a bi-directionnaly datastream, once
established, the TCP connection can pass data back and forth
through the HTTP proxy.
The administrator of the HTTP proxy cannot see
which protocol is used, which server is contacted (except the
home computer), nor the nature of transmitted data.
Setting up the tunnel
To create the tunnel as in our example above:
On the home computer
(server): |
sshd |
(start the ssh server) |
hts --forward-port
localhost:22 80 |
(start the HTTP Tunnel server) |
On the office
computer (client): |
htc --forward-port 900 --proxy HttpProxy:3128
HomeComputer:80 |
(start the HTTP Tunnel client) |
ssh -L 800:pop3server:113 sshlogin@localhost -p 900 |
(start the ssh client) |
Then read your email with your mail program at
localhost:800 |
|
Notes:
- If your proxy requires authentication, add --proxy-authorization login:password to the
htc command line.
- sshlogin is your ssh login name on the
ssh server on the Home computer.
- You can set up as many additionnal tunnels as you want
with:
ssh -L localport:destinationServer:destinationPort sshlogin@localhost -p 900
(localport is the local port you want to map
to a destination server outside the firewall (destinationServer:destinationPort)).
Drawbacks of this solution:
- it does not work for UDP-based protocols (NFS, chat...).
- it does not work for programs which act as server (most games,
chat, peer-to-peer...)
- HTTP encapsulations and proxy delays can add some latency.
Good point of this solution:
- Setting up the server is easy.
- By using ports above 1024, setting up the client does not
require administratror (root) privileges.
- Multiple users can use the server to create multiple tunnels to
any destination. Each user has its own private tunnels.
- This tunnel can secure communications even if the proxy does
not accept to proxy HTTPS.
- This tunnel does not require the HTTP proxy to accept the
CONNECT command.
- This tunnel can work on proxies which are not capable of - or
forbid - proxying of HTTPS (port 443).
- With Linux Live CDs like Knoppix this can be a great
solution for cybercafés: Live Linux CD ensures there is no
lurking keylogger or troyan, and the tunnel ensures that the
cybercafé owner, a troyaned computer or the government
cannot sniff your passwords, spy on your data or censor websites. I
especially think of China here.
Conlusion
As you can see, setting up such tunnels does not requires
advanced skills, especially with the recent Linux distributions
which come with pre-installed and pre-configured ssh servers.
With a little more skills, it is possible to tunnel just about
everything into everything. For example, it is possible to tunnel
PPP into HTTP, providing a full IP-stack tunnelling, including ICMP
(ping...), DNS and servers (backward tunnels).
Opensource and commercial VPN solutions also come into mind.
See references for programs and papers about firewall bypassing
below.
Security is not only a matter of firewall configuration, it must
be seen at a larger scale. Do not rely on the firewall alone.
Censorship bypassing should not be only considered as a
terrorist or hacker weapon, but also as tools for privacy, free
speech, democraty and human rights protection (Please read papers
written by PGP-author Philip Zimmerman, they are very
instructive).
References
Articles and software about tunnelling and
firewall/proxy/censorship bypassing:
- ProxyTunnel : http://proxytunnel.sourceforge.net
TCP-into-HTTP(S) tunneling program ; requires
the HTTP proxy to accept the CONNECT command.
- SSH Tunnelling howto : http://proxytunnel.sourceforge.net/papers/muppet-200204.html
Instructions for TCP-into-HTTP tunnelling using
SSH and ProxyTunnel.
- Bypassing internet censorship : http://www.zensur.freerk.com
Ways to bypass censorship, using
various technics.
- How to Bypass Most Firewall Restrictions and Access the
Internet Privately : http://www.buzzsurf.com/surfatwork/
Document on firewalls bypassing and
tunnelling.
- Breaking Firewalls with OpenSSH and PuTTY :
http://souptonuts.sourceforge.net/sshtips.htm
Using putty and OpenSSH when the firewall
allows port 22 in.
- The ennemy within: Firewalls and backdoors : http://www.securityfocus.com/infocus/1701
Article about firewalls and
security.
- GNU HTTP Tunnel : http://www.nocrew.org/software/httptunnel.html
Opensource TCP-into-HTTP
tunnelling.
- PlugDaemon : http://www.taronga.com/plugdaemon/
TCP port forwarder with HTTPS proxy
support.
- OpenSSH : http://www.openssh.com
Opensource ssh client and server.
- OpenSSH for Windows: http://sshwindows.sourceforge.net/
Windows version of OpenSSH. (The server
only works under 2000/XP, but a 9x version is planned.)
- OpenVPN : http://openvpn.sourceforge.net/
Excellent, secure and flexible opensource
SSL-based VPN program. Can work over UDP, TCP or even HTTP trough
proxies.
- 1st April RFC 3093: http://ietf.org/rfc/rfc3093.txt
So-called Firewall Enhancement Protocol
(FEP).
- DesProxy : http://desproxy.sourceforge.net
Allows to make direct TCP connections
through HTTP proxy which accept the CONNECT command. Does not
require external server as in our solution
above.
- TransConnect: http://transconnect.sourceforge.net
Uses the CONNECT proxy HTTP command to make
direct connections to the internet.
- CorkScrew: http://www.agroman.net/corkscrew/
Tunnels SSH traffic through HTTP proxies.
- HTTP Bridge: http://httpbridge.sourceforge.net
A CGI-based secure HTTP proxy written in Java.
Requires Tomcat.
- PsiPhon: http://psiphon.civisec.org/
Password-protected HTTP proxy server designed to circumvent
censorship.
- HTTP Proxy Lib: http://httppc.sourceforge.net
A library to add TCP-into-HTTP capability to
your programs.
- STunnel: http://stunnel.mirt.net
Generic TCP-into-SSL wrapper.
- STunnel: http://www.stunnel.org
Generic TCP-into-SSL wrapper.
- SSLProxy: http://www.obdev.at/products/ssl-proxy/
Generic TCP-into-SSL wrapper. No longuer
maintained (Authors recommend STunnel instead).
- TLSWrap : http://tlswrap.sunsite.dk
TLS/SSL wrapper/proxy for FTP.
- HTTP Tunnel : http://www.http-tunnel.com
Commercial encrypted TCP-into-HTTP tunnelling
service. Low-bandwith free service available.
- HTTP Tunnel : http://http-tunnel.sourceforge.net/
Opensource SOCKS proxy capable of tunnelling
traffic through HTTP proxies. Client and server provided. Server
can run standalone (perl) or on a hosted server (php).
- HTTPort : http://www.htthost.com
Commercial TCP-into-HTTP tunnelling service
(encrypted).
- BarracudaDrive : http://barracudaserver.com/examples/BarracudaDrive/index.html
Free TCP-into-HTTPS tunnelling server with HTTP
proxy support (command-line java client), including a web-based
file manager, web-based chat and graphical file transfer java
client.
- Hamachi : http://hamachi.cc/
Free and simplified UDP-based VPN solution
capable of traversing NAT firewalls.
- Your-Freedom : http://www.your-freedom.net/
Free TCP-into-HTTP tunnelling
service. Additional sevices are not free.
- Socks via HTTP : http://lightbox.ath.cx/socks/
A SOCKS proxy which tunnels all traffing into
HTTP requests. Can also tunnel static
ports. Client and server provided.
Written in Java.
- Zebedee : http://www.winton.org.uk/zebedee/
Opensource cross-plateform TCP/UDP-into-SSL
tunnel.
- Socks2HTTP : http://www.totalrc.net
Commercial Socks proxy which tunnels TCP and
UDP into HTTP.
- SSL Explorer :
http://www.sshtools.com/products/enterprise/ssl-explorer/ssl-explorer.jsp
TCP-into-HTTPS tunnelling and more. The clients
only requires a Java-enabled browser.
- Tunnelier : http://www.bitvise.com/tunnelier.html
Commercial (free for personal use) SSH client
for Windows with easy tunnelling features, graphical SFTP client,
FTP-to-SFTP bridge, etc.
- nph-proxy : http://www.jmarshall.com/tools/cgiproxy/
Free CGI-based HTTP proxy, capable of HTTPS
proxying and URL obfuscation. Perl source code
provided.
- For more information, see:
- Tunnelling projects on SourceForge.net: http://sourceforge.net/search/?words=tunnel
This page is located at http://sebsauvage.net/punching
Last update: 2007-07-06