How tunneling softwares compromise internal security

tunnelFirst off let me  explain what tunneling really is ? Well to make it simple i wont go into technical details but would say that for example you take a LAYS chips packet and put some thing  in side it , that you are usually not allowed to send and you seal it back and send it through  mail. Now the mail check post will check that its a Lays Chips packet and forward it and when it reaches your frnd ,he just unwraps it and gets the other wise forbidden object.

Now a little technical stuff ! Usually what local tunneling softwares use is HTTPs tunneling . that is , HTTPS is used as the Lays Chips packet and the data you want to tunnel is inside the https wrapped  packet.

Usually the network design is such that before the gateway firewall there is usually a proxy server. And in a firewall policy table a proxy has more rights then the normal employee. That is it is allowed to access the internet with full rights and access any remote port where as a normal employee has to go through the proxy to access the internet and for him/her there are further checks at the proxy . for example

A) Employee —-(direct external nw access not allowed)—-> X [Firewall]  X

B) Employee —– > [Proxy] ——- > [Firewall] ===>(Allowed)

In case of (B) the proxy has checks on orkut.com , youtube.com etc… so the employee cant access these websites. And Msn messenger / Yahoo messenger are blocked by the firewall.

Now that was the scenario. Now i will tell you people how it can be bypassed easily:

You download a software for instance  hopsterlogo . It has a live server which it connects to using HTTPS or port 443 ! and you can even give the Proxy ip address that you are using. Now its so simple it sends the packet to the proxy that it wants to connect to port 443 of the live server now the innocent proxy server forwards the request to that server through the firewall thus once connected , one can send any data out by just feeding it to hopster!

Usually in softwares like msn messenger ,  yahoo messenger etc ask you to give local proxy address and you just have to give your local hosts ip address or 127.0.0.1 and the software’s port number and you are good to go !

Solution:

The Network Administrator  should install such softwares to check the remote servers they connect to and block the ips on the proxy and at the firewall end. And usually there is one server with single live ip address so once blocked it cannot connect.

%d