Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stealth project - פרוייקט החמקן Roni Ohana Shlomo Yona Instructor: Youval Nachum Comnet Lab - Electrical Engineering Faculty Technion - Israel Institute.

Published byMyrtle Hensley Modified over 8 years ago

Similar presentations

Presentation on theme: "Stealth project - פרוייקט החמקן Roni Ohana Shlomo Yona Instructor: Youval Nachum Comnet Lab - Electrical Engineering Faculty Technion - Israel Institute."— Presentation transcript:

1

2 Stealth project - פרוייקט החמקן Roni Ohana Shlomo Yona Instructor: Youval Nachum Comnet Lab - Electrical Engineering Faculty Technion - Israel Institute of Technology

3 Project Goal Enable a monitored company user surf to forbidden sites located outside company’s network.

4 Description A legal site will relay information between the user and the forbidden site.

5 Local Network Internet Firewall X-site User Filter FORBIDDEN! Legal-site

6 Consider the following situation User is able to surf to a legal site. User is blocked by a firewall while trying to access an illegal site.

7 Some more details User sends http request for a page at the forbidden site (X-site) and waits until response returns. Firewall intercepts request and checks for forbidden url in the request. If forbidden url found: User gets some error notification. And the request is no longer being processed. Else, FW forwards the request to the x-site and wait until response returns. Upon receiving the request, X-site responses by returning the requested page. FW may check for forbidden text in the response. If forbidden text found - send FORBIDDEN to the user. Else, return the page to the user.

8 The Internet Internal Network Proxy Firewall Perimeter Network Interior router Exterior router X-site router Bastion Host Proxy TCP Open TCP socket Accept Open TCP socket Accept TCP Accept Open TCP socket

9 Proxy based firewall On http level, a TCP connection will open from client to the proxy-Firewall and another TCP connection will open from the proxy-Firewall to the destination (either direct, or using another proxy). When N proxies are involved there will be N+2-1 TCP connections (counting source and destination too)

10 The Internet Internal Network Screening Router Firewall Perimeter Network Interior router Exterior router X-site router Bastion Host Proxy TCP Open TCP socket Accept Open TCP socket Accept TCP

11 Router based Firewall The firewall will implement the filter() method of the router. A packet arriving to a router will first be filtered by filter(). If the firewall finds forbidden text, filter() drops the packet, otherwise, the router keeps processing the packet.

12 How does the FW interfere? URL The url requested by the user is in the http request. once the firewall sees that it’s a forbidden url - the page is denied. DATA Data which returns from the x-site, if contains forbidden text, might cause denial of page.

13 What can we do about this? Use a mediator A legal 3rd party to: –Request the page of the forbidden site. –Encode our text so it won’t bother the FW.

14 Local Network Internet (3) Firewall (5) X-site (1) User (4) our-site (2) Local Agent The Players

15 (1) User, who’s platform is on company’s network. (2) Local agent running on a platform on the company’s network (possibly the user’s local host) (3) Firewall on the proxy or router in-out gateway to/from the internet. (4) Our-site, a remote proxy, located outside the company’s network. (5) X-site, web-site located outside the company’s network which has a forbidden url.

16 Local Network Internet (3) Firewall (5) X-site (1) User (4) our-site (2) Local Agent The Players

17

18 Local Network Internet (3) Firewall (5) X-site (1) User Filter FORBIDDEN! (4) our-site Got Page! Filter

19 Solution 1 (1) Opens browser (1) Inputs location of (4). (4)’s url is legal, so (3) forwards the request to (4). (4) returns a form to (1). (3) is not looking at the data, so it forwards the form to (1). (1) inputs the url and submits the form. (3) is looking only at destination host (which is legal, in this case), so the submission also is being forwarded to (4). A server in (4) processes the form and requests a page from (5). Firewall only checks outgoing URLs

20 Solution 1 (cont’) (5) responds to (4) with the desired page. (4) changes the links in the page so requesting them will invoke the same procedure automatically. –Before: http://www.x-site.com –After: http://our-site/cgiScript?site=http://www.x- site.com (4) sends the altered page to (1) (3) intercepts the page, and forwards it to ( 1). (1) gets the desired page. If (1) presses a link, the whole procedure occurs automatically, since the link points to (4) (giving the real url as a parameter). Firewall only checks outgoing URLs

21 Local Network Internet (3) Firewall (5) X-site (1) User Filter FORBIDDEN! (4) our-site Got Page! Filter

22 Local Network Internet (3) Firewall (5) X-site (1) User (4) our-site (2) Local-Site Solution 2 Firewall also checks Response Content

23 (2) is a web page with an HTML form to input a url for a CGI script operating as a local proxy. Solution 2 (1) Opens browser. (1) Inputs location of (2). Makes http request. (2) responds to (1) by sending an HTML form. (1) inputs (5)’s url in the form and submits. (1)’s submission invokes a CGI script at (2). (2) encodes the url field submitted by (1). (2) sends the encoded request to (4). –GET http://out-site/cgiScript?site=encodedXSite (3) intercepts the http request, sees nothing forbidden and forwards the request. (4) get the request and decodes it. Makes a request to (5). Firewall also checks Response Content

24 Solution 2 (cont’) (5) responds to (4) (4) encodes the page it got from (5). (4) responds with encoded page to (2). (3) processes (4)’s response and finds nothing forbidden in it, and forwards it to (2). (2) decodes (4)’s response. (2) changes links in the page so choosing a link will operate solution-2 again automatically. (2) responds to (1). (1) get his page, can continue browsing at forbidden locations. Firewall also checks Response Content

25 Local Network Internet (3) Firewall (5) X-site (1) User (4) our-site (2) Local-Proxy Solution 3

26 (1) Runs (2). (1) Opens browser. (1) Configures the browser so that (2) is set as proxy. (1) Inputs location of the (5). Makes http request. –GET http://x-site HTTP/1.0 (2) Captures the request, since (2) is (1)’s proxy. (2) Encodes the url field in (1)’s http request. (2) Sends the encoded request to (4). –GET http://out-site/cgiScript?site=encodedXSite (3) Intercepts the http request, sees nothing forbidden and forwards the request. (4) Get the request and decodes it. Makes a request to (5). (2) is a http proxy which runs inside the company’s network.

27 Solution 3 (cont’) (5) Responds to (4) (4) Encodes the page it got from (5). (4) Responds with encoded page to (2). (3) Processes (4)’s response and finds nothing forbidden in it, and forwards it to (2). (2) Decodes (4)’s response, and responds to (1). (1) Get his page, can continue browsing at forbidden locations.

28 Pros and Cons of Solutions 2 and 3 Solution 2 –No need to configure the Browser for a proxy. –No need to change links at (4) –Requires a web server and permission to run cgi scripts Solution 3 –Requires browser configuration to set (2) as proxy. –No need to change links at all! –Occupies a port.

29 Local Network Internet (3) Firewall (5) X-site (1) User (4) our-site Solution 4 Mirror

30 Solution 4 - Mirroring (1) Inputs (4)’s url at his browser’s location bar. (3) Forwards (4) Responds by sending HTML form (3) Forwards (1) Fills form: –(5)’s url –links depth –freshness

31 Solution 4 - Mirroring (Cont’) (1) Submits form. (3) Forwards. (4) CGI invoked with parameters from the form. (4)’s CGI mirrors (5) according to form’s parameters. (4) Responds to (1) with HTML with a link to the mirrored index.html of (5). (3) Forwards.

32 Solution 4 - Mirroring (Cont’) (1) Gets page from (4). (1) Surfs on (5)’s mirror on (4). (3) Won’t interfere because it doesn’t check data.

33

34 Local Network Internet (3) Firewall (5) X-site (1) User Filter (4) our-site Got Page! Filter (2) local-proxy Encrypt Decrypt Encrypt FORBIDDEN!

35 Solution 5 - Mirroring (1) Runs (2) (1) Configures browser so (2) is set as proxy (1) Inputs (5)’s url at his browser’s location bar with mirror parameters: –http://x-site?depth=Ndepth?lastModified=Ndays (2) Intercepts request encodes it and requests to (4). (3) Sees encoded url, no-problem, forwards to (4). (4) Decodes url, parses parameters (from the end), mirror (5).

36 Solution 5 - Mirroring (cont’) (4) tar.Z - responds to (2). (3) Hopefully, understands nothing of (4) response so forwards to (2). (2) Uncompress, untar, builds html page with link to mirror’s index.html. Responses this page to (1). (1) Uses page to surf mirrored (5).

37 Pros and Cons of Mirroring Pros –Very Fast (!) local browsing –One requests might serve many users –One request is good for many surfs. Cons –No mirroring for links from other sites –requires large amount of disk space –Long latency

38 Technology Platform –Unix - UltraSparc30/SunOS Solaris

39 Technology Programming Language used: –Perl 5 (Larry Wall) for writing CGI scripts, upgrading the WebCopy application, writing local proxy and firewall.

40 Technology Applications used: –Jigsaw web server (by w3c, in Java) - specially configured for our purposes. –Webcopy mirroring utility (by Victor Parada, in Perl) - Altered code by us (bug fixes, upgrade). –FWTK (by TIS) –Netscape web browser –Local Proxy, Firewall, CGI scripts (Self made, in Perl and Java).

41 Next project improvements to Solution 5 Not necessarily in order of importance or ease of implementation Prefetching when deepest mirror-link chosen. On-Line Prefetching. Add-On to popular browser.

42 Benefits Learning Java (+servlets) Learning Perl Installing and Configuring Jigsaw web-server Learning HTML and building a web-site Learning CGI programming Learning HTTP Learning about Firewalls and their behaviour Implementing a simple proxy based firewall Installing TIS - FWTK Working in Unix environment Using MS-PowerPoint

43 Bibliography Building Internet Firewalls. D. Brent Chapman and Elizabeth D. Zwicky. O’Reilly Associates, Inc. Firewalls and Internet Security. Repelling the Wily Hacker. William R. Cheswick and Steven M. Bellovin. Addison-Wesley Professional Computing Series. Http specification: RFC2616 Jigsaw web server:www.w3.org/jigsaw HTML:www.w3.org/markup terms:www.whatis.com Perl:man perl TIS:www.tis.com Java:www.java.sun.com Unix:man pages Internet Firewalls FAQ: http://www.interhack.net/pubs/fwfaq/ Internetworking with TCP/IP Vol. I: Principles, Protocols, and Architecture by Douglas E. Comer

44 Information about the project Project’s site at: http://www.comnet.technion.ac.il/~cn1w00 Available on the web-site: Project Book These slides Installation package Full source code

45 Reaching us... Roni Ohana –Phone: 04-8203017 –Email: ronio@lion.technion.ac.il Shlomo Yona –Phone: 04-8202413 –Email: shlomo@lion.technion.ac.il

46

Download ppt "Stealth project - פרוייקט החמקן Roni Ohana Shlomo Yona Instructor: Youval Nachum Comnet Lab - Electrical Engineering Faculty Technion - Israel Institute."

Similar presentations

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao

EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.

Similar presentations

Ads by Google