1 / 45

Stealth project - פרוייקט החמקן

Stealth project - פרוייקט החמקן. Roni Ohana Shlomo Yona Instructor: Youval Nachum Comnet Lab - Electrical Engineering Faculty Technion - Israel Institute of Technology. Project Goal. Enable a monitored company user surf to forbidden sites located outside company’s network.

shada
Download Presentation

Stealth project - פרוייקט החמקן

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stealth project - פרוייקט החמקן Roni Ohana Shlomo Yona Instructor: Youval Nachum Comnet Lab - Electrical Engineering Faculty Technion - Israel Institute of Technology

  2. Project Goal Enable a monitored company user surf to forbidden sites located outside company’s network.

  3. Description A legal site will relay information between the user and the forbidden site.

  4. Local Network Internet Firewall User X-site Filter FORBIDDEN! Legal-site

  5. Consider the following situation • User is able to surf to a legal site. • User is blocked by a firewall while trying to access an illegal site.

  6. Some more details • Firewall intercepts request and checks for forbidden url in the request. • User sends http request for a page at the forbidden site (X-site) and waits until response returns. • If forbidden url found: User gets some error notification. And the request is no longer being processed. • Else, FW forwards the request to the x-site and wait until response returns. • Upon receiving the request, X-site responses by returning the requested page. • FW may check for forbidden text in the response. • If forbidden text found - send FORBIDDEN to the user. • Else, return the page to the user.

  7. The Internet X-site router router router router router router router router router Proxy Firewall Exterior router Bastion Host Perimeter Network Interior router Internal Network TCP Open TCP socket Proxy Accept TCP Accept Open TCP socket TCP Accept Open TCP socket

  8. Proxy based firewall • On http level, a TCP connection will open from client to the proxy-Firewall and another TCP connection will open from the proxy-Firewall to the destination (either direct, or using another proxy). • When N proxies are involved there will be N+2-1 TCP connections (counting source and destination too)

  9. The Internet Proxy X-site router router router router router router router router router Screening Router Firewall Exterior router Bastion Host Perimeter Network Interior router Internal Network TCP Open TCP socket Accept TCP Accept Open TCP socket

  10. Router based Firewall • The firewall will implement the filter() method of the router. • A packet arriving to a router will first be filtered by filter(). • If the firewall finds forbidden text, filter() drops the packet, otherwise, the router keeps processing the packet.

  11. How does the FW interfere? URL • The url requested by the user is in the http request. • once the firewall sees that it’s a forbidden url - the page is denied. DATA • Data which returns from the x-site, if contains forbidden text, might cause denial of page.

  12. What can we do about this? • Use a mediator A legal 3rd party to: • Request the page of the forbidden site. • Encode our text so it won’t bother the FW.

  13. The Players Local Network Internet (3) Firewall (1) User (5) X-site (2) Local Agent (4) our-site

  14. The Players • (1) User, who’s platform is on company’s network. • (2) Local agent running on a platform on the company’s network (possibly the user’s local host) • (3) Firewall on the proxy or router in-out gateway to/from the internet. • (4) Our-site, a remote proxy, located outside the company’s network. • (5) X-site, web-site located outside the company’s network which has a forbidden url.

  15. The Players Local Network Internet (3) Firewall (1) User (5) X-site (2) Local Agent (4) our-site

  16. Solutions!

  17. Got Page! Local Network Internet (3) Firewall (1) User (5) X-site Filter Filter Filter FORBIDDEN! (4) our-site

  18. Solution 1 Firewall only checks outgoing URLs • (1) Opens browser • (1) Inputs location of (4). • (4)’s url is legal, so (3) forwards the request to (4). • (4) returns a form to (1). • (3) is not looking at the data, so it forwards the form to (1). • (1) inputs the url and submits the form. • (3) is looking only at destination host (which is legal, in this case), so the submission also is being forwarded to (4). • A server in (4) processes the form and requests a page from (5).

  19. Solution 1 (cont’) Firewall only checks outgoing URLs • (5) responds to (4) with the desired page. • (4) changes the links in the page so requesting them will invoke the same procedure automatically. • Before: http://www.x-site.com • After: http://our-site/cgiScript?site=http://www.x-site.com • (4) sends the altered page to (1) • (3) intercepts the page, and forwards it to ( 1). • (1) gets the desired page. • If (1) presses a link, the whole procedure occurs automatically, since the link points to (4) (giving the real url as a parameter).

  20. Got Page! Local Network Internet (3) Firewall (1) User (5) X-site Filter Filter Filter FORBIDDEN! (4) our-site

  21. Solution 2 Firewall also checks Response Content (3) Firewall Local Network Internet (1) User (5) X-site (2) Local-Site (4) our-site

  22. Firewall also checks Response Content Solution 2 (2) is a web page with an HTML form to input a url for a CGI script operating as a local proxy. • (1) Opens browser. • (1) Inputs location of (2). Makes http request. • (2) responds to (1) by sending an HTML form. • (1) inputs (5)’s url in the form and submits. • (1)’s submission invokes a CGI script at (2). • (2) encodes the url field submitted by (1). • (2) sends the encoded request to (4). • GET http://out-site/cgiScript?site=encodedXSite • (3) intercepts the http request, sees nothing forbidden and forwards the request. • (4) get the request and decodes it. Makes a request to (5).

  23. Firewall also checks Response Content Solution 2 (cont’) • (5) responds to (4) • (4) encodes the page it got from (5). • (4) responds with encoded page to (2). • (3) processes (4)’s response and finds nothing forbidden in it, and forwards it to (2). • (2) decodes (4)’s response. • (2) changes links in the page so choosing a link will operate solution-2 again automatically. • (2) responds to (1). • (1) get his page, can continue browsing at forbidden locations.

  24. Solution 3 (3) Firewall Local Network Internet (1) User (5) X-site (2) Local-Proxy (4) our-site

  25. Solution 3 (2) is a http proxy which runs inside the company’s network. • (1) Runs (2). • (1) Opens browser. • (1) Configures the browser so that (2) is set as proxy. • (1) Inputs location of the (5). Makes http request. • GET http://x-site HTTP/1.0 • (2) Captures the request, since (2) is (1)’s proxy. • (2) Encodes the url field in (1)’s http request. • (2) Sends the encoded request to (4). • GET http://out-site/cgiScript?site=encodedXSite • (3) Intercepts the http request, sees nothing forbidden and forwards the request. • (4) Get the request and decodes it. Makes a request to (5).

  26. Solution 3 (cont’) • (5) Responds to (4) • (4) Encodes the page it got from (5). • (4) Responds with encoded page to (2). • (3) Processes (4)’s response and finds nothing forbidden in it, and forwards it to (2). • (2) Decodes (4)’s response, and responds to (1). • (1) Get his page, can continue browsing at forbidden locations.

  27. Solution 2 No need to configure the Browser for a proxy. No need to change links at (4) Requires a web server and permission to run cgi scripts Solution 3 Requires browser configuration to set (2) as proxy. No need to change links at all! Occupies a port. Pros and Cons of Solutions 2 and 3

  28. Solution 4 Local Network (3) Firewall Internet (1) User (5) X-site (4) our-site Mirror

  29. Solution 4 - Mirroring • (1) Inputs (4)’s url at his browser’s location bar. • (3) Forwards • (4) Responds by sending HTML form • (3) Forwards • (1) Fills form: • (5)’s url • links depth • freshness

  30. Solution 4 - Mirroring (Cont’) • (1) Submits form. • (3) Forwards. • (4) CGI invoked with parameters from the form. • (4)’s CGI mirrors (5) according to form’s parameters. • (4) Responds to (1) with HTML with a link to the mirrored index.html of (5). • (3) Forwards.

  31. Solution 4 - Mirroring (Cont’) • (1) Gets page from (4). • (1) Surfs on (5)’s mirror on (4). • (3) Won’t interfere because it doesn’t check data.

  32. And now... Solution 5

  33. Got Page! Local Network Internet (3) Firewall (1) User (5) X-site Filter FORBIDDEN! (2) local-proxy (4) our-site Filter Filter Decrypt Encrypt Encrypt Decrypt

  34. Solution 5 - Mirroring • (1) Runs (2) • (1) Configures browser so (2) is set as proxy • (1) Inputs (5)’s url at his browser’s location bar with mirror parameters: • http://x-site?depth=Ndepth?lastModified=Ndays • (2) Intercepts request encodes it and requests to (4). • (3) Sees encoded url, no-problem, forwards to (4). • (4) Decodes url, parses parameters (from the end), mirror (5).

  35. Solution 5 - Mirroring (cont’) • (4) tar.Z - responds to (2). • (3) Hopefully, understands nothing of (4) response so forwards to (2). • (2) Uncompress, untar, builds html page with link to mirror’s index.html. Responses this page to (1). • (1) Uses page to surf mirrored (5).

  36. Pros Very Fast (!) local browsing One requests might serve many users One request is good for manysurfs. Cons No mirroring for links from other sites requires large amount of disk space Long latency Pros and Cons of Mirroring

  37. Technology • Platform • Unix - UltraSparc30/SunOS Solaris

  38. Technology • Programming Language used: • Perl 5 (Larry Wall) • for writing CGI scripts, upgrading the WebCopy application, writing local proxy and firewall.

  39. Technology • Applications used: • Jigsaw web server (by w3c, in Java) - specially configured for our purposes. • Webcopy mirroring utility (by Victor Parada, in Perl) - Altered code by us (bug fixes, upgrade). • FWTK (by TIS) • Netscape web browser • Local Proxy, Firewall, CGI scripts (Self made, in Perl and Java).

  40. Next project improvements to Solution 5Not necessarily in order of importance or ease of implementation • Prefetching when deepest mirror-link chosen. • On-Line Prefetching. • Add-On to popular browser.

  41. Benefits • Learning Java (+servlets) • Learning Perl • Installing and Configuring Jigsaw web-server • Learning HTML and building a web-site • Learning CGI programming • Learning HTTP • Learning about Firewalls and their behaviour • Implementing a simple proxy based firewall • Installing TIS - FWTK • Working in Unix environment • Using MS-PowerPoint

  42. Bibliography • Building Internet Firewalls. D. Brent Chapman and Elizabeth D. Zwicky. O’Reilly Associates, Inc. • Firewalls and Internet Security. Repelling the Wily Hacker. William R. Cheswick and Steven M. Bellovin. Addison-Wesley Professional Computing Series. • Http specification: RFC2616 • Jigsaw web server: www.w3.org/jigsaw • HTML: www.w3.org/markup • terms: www.whatis.com • Perl: man perl • TIS: www.tis.com • Java: www.java.sun.com • Unix: man pages • Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/ • Internetworking with TCP/IP Vol. I: Principles, Protocols, and Architecture by Douglas E. Comer

  43. Information about the project Project’s site at: http://www.comnet.technion.ac.il/~cn1w00 Available on the web-site: • Project Book • These slides • Installation package • Full source code

  44. Reaching us... • Roni Ohana • Phone: 04-8203017 • Email: ronio@lion.technion.ac.il • Shlomo Yona • Phone: 04-8202413 • Email: shlomo@lion.technion.ac.il

More Related