Punching holes into firewalls

or "Why firewalls shouldn't be considered a ultimate weapon for network security"
or "Secure TCP-into-HTTP tunnelling guide"

This document is located at http://sebsauvage.net/punching/index.html
This document explains how to securely tunnel any TCP-based protocol (SMTP, POP3, telnet...) in simple HTTP requests.

It is heavily inspired from http://proxytunnel.sourceforge.net/paper.php, although it does not use the same tools and does not cover outside to inside data flows (backward tunnels).

 

Introduction

Firewalls are heavily used to secure private networks (home or corporate). Usually, they are used to protect the network from:

In a TCP/IP environment, the typical corporate firewall configuration is to block everything (both incoming and outgoing), and give access to the internet only through a HTTP proxy. The proxy usually has filtering capabilities (censors URLs and file types), and access to the proxy often requires credentials (login/password). This gives greater contol to the network administrator over what and who is going in and out of the network.

Still, this should not considered a ultimate weapon, and network administrators should not rely on the firewalls only.

Encapsulation is the basis of networking. For example, HTTP is encapsulated by TCP, TCP is encapsulated by IP, and IP is often encapsulated in PPP or Ethernet.
Encapsulating protocols in an unsual way is often reffered as tunnelling.

As soon as you let a single protocol out, tunelling allows to let anything go through this protocol, and thus through the firewall.

 

This paper demonstrates how to encapsulate any TCP-based protocol (SMTP, POP3, NNTP, telnet...) into HTTP, thus bypassing the firewall protection/censorship (depending on your point of view)

A word of warning:

In many countries and corporate environments, bypassing a firewall is forbidden and exposes you to sanctions, redundancy, legal proceedings and - in some countries - death penalty.
You are warned.

Nevertheless, in some countries this kind of firewall/proxy bypassing is the only way to ensure free speech (such as China or United Arab Emirates where the government severly censors the internet and where firewall bypassing is a national sport.)

Now you known what you're doing, let's move on.


The problem

Say you want to fetch your mail from your ISP mail server. You usually simply connect to port 110 on the POP server of your ISP.

Figure 1 : Using POP3 to fetch mail

 

Trouble: there is a Big Bad firewall which blocks everything.

Figure 2 : The firewall blocks POP3

Well... it does not exactly block everything: it lets HTTP out through a proxy.
Let's encapsulate our POP3 connection into HTTP.


The tools

We need:

 

Why not use GNU HTTP Tunnel alone ?

In principle, only HTTP Tunnel is necessary. But this is not desirable:

This is where ssh come in. ssh provides:

These tools are available on Unix/Linux and Windows environments.

 

The whole chain

Let's see how this works. Here is the full chain:

Figure 3 : The whole chain

 

Technically speaking, once this chain is established, connecting to OfficeComputer:800 is identical to connecting to pop3server:110.
The mail client will not see the difference.

As TCP is a bi-directionnaly datastream, once established, the TCP connection can pass data back and forth through the HTTP proxy.

The administrator of the HTTP proxy cannot see which protocol is used, which server is contacted (except the home computer), nor the nature of transmitted data.

 

Setting up the tunnel

To create the tunnel as in our example above:

On the home computer (server):
sshd (start the ssh server)
hts --forward-port localhost:22 80 (start the HTTP Tunnel server)
On the office computer (client):
htc --forward-port 900 --proxy HttpProxy:3128 HomeComputer:80 (start the HTTP Tunnel client)
ssh -L 800:pop3server:113 sshlogin@localhost -p 900 (start the ssh client)
Then read your email with your mail program at localhost:800  

Notes:

Drawbacks of this solution:

Good point of this solution:


Conlusion

As you can see, setting up such tunnels does not requires advanced skills, especially with the recent Linux distributions which come with pre-installed and pre-configured ssh servers.

With a little more skills, it is possible to tunnel just about everything into everything. For example, it is possible to tunnel PPP into HTTP, providing a full IP-stack tunnelling, including ICMP (ping...), DNS and servers (backward tunnels).
Opensource and commercial VPN solutions also come into mind.
See references for programs and papers about firewall bypassing below.

Security is not only a matter of firewall configuration, it must be seen at a larger scale. Do not rely on the firewall alone.

Censorship bypassing should not be only considered as a terrorist or hacker weapon, but also as tools for privacy, free speech, democraty and human rights protection (Please read papers written by PGP-author Philip Zimmerman, they are very instructive).


References

Articles and software about tunnelling and firewall/proxy/censorship bypassing:


This page is located at http://sebsauvage.net/punching
Last update: 2007-07-06