Protocol Tunnelling
A protocol tunnel encapsulates one protocol inside another. Tunnelling is a general
technique which can be used to carry a protocol across a foreign network. It is often
used to join two isolated networks with a private bridge across a public network,
forming a VPN (Virtual Private Network). Most commonly, IP traffic is encrypted and
encapsulated in a TCP stream, which is carried across the public Internet between two
remote sites.
Any protocol can be exploited for tunnelling. The only requirement is that the
protocol is permitted by any firewall that sits between the tunnel end points. Protocols
like SMTP and HTTP generally satisfy this requirement. Others, like ICMP-ECHO
(the “ping” protocol), are also allowed by most configurations.
technique which can be used to carry a protocol across a foreign network. It is often
used to join two isolated networks with a private bridge across a public network,
forming a VPN (Virtual Private Network). Most commonly, IP traffic is encrypted and
encapsulated in a TCP stream, which is carried across the public Internet between two
remote sites.
Any protocol can be exploited for tunnelling. The only requirement is that the
protocol is permitted by any firewall that sits between the tunnel end points. Protocols
like SMTP and HTTP generally satisfy this requirement. Others, like ICMP-ECHO
(the “ping” protocol), are also allowed by most configurations.
Bypassing Firewalls
A protocol tunnel can turn an application layer protocol (such as HTTP, or SMTP) into
a transport layer protocol. This can make it very hard for the firewall to reason about
the traffic passing through it.
One tool designed to exploit this fact is GNU httptunnel, which is available under
GNU Public License. This tool creates a point-to-point HTTP tunnel, but it can be used
in conjunction with other software (such as SSH and Telnet) to provide unrestricted
access through a firewall. Users at sites with restrictive firewall policies can enable
protocols that are blocked by tunnelling them through HTTP.
The obvious problem caused by tools such as this is that the firewall policy no
longer dictates the overall security policy. Although users must take a conscious decision
to invoke applications like htc and hts1, it is ultimately the users who can decide
which particular protocols will cross the firewall.
A protocol tunnel can turn an application layer protocol (such as HTTP, or SMTP) into
a transport layer protocol. This can make it very hard for the firewall to reason about
the traffic passing through it.
One tool designed to exploit this fact is GNU httptunnel, which is available under
GNU Public License. This tool creates a point-to-point HTTP tunnel, but it can be used
in conjunction with other software (such as SSH and Telnet) to provide unrestricted
access through a firewall. Users at sites with restrictive firewall policies can enable
protocols that are blocked by tunnelling them through HTTP.
The obvious problem caused by tools such as this is that the firewall policy no
longer dictates the overall security policy. Although users must take a conscious decision
to invoke applications like htc and hts1, it is ultimately the users who can decide
which particular protocols will cross the firewall.
Simple Tunnel
Far more nefarious scenarios are possible, such as one demonstrated recently at BT
Laboratories. The Simple Tunnel2 is another general purpose tunnel developed independently
to GNU httptunnel, but at about the same time. It was built as part of a
demonstrator, designed to highlight the threat that tunnelling poses to network security
Laboratories. The Simple Tunnel2 is another general purpose tunnel developed independently
to GNU httptunnel, but at about the same time. It was built as part of a
demonstrator, designed to highlight the threat that tunnelling poses to network security
Like GNU httptunnel, the Simple Tunnel also uses HTTP as a transport, although it
could easily be extended to almost any client-server protocol. However, it is packaged
as a library and not as an application—it is designed to be built in to other applications.
This library, called libtunnel, provides a channel for passing arbitrary messages
between the tunnel endpoints. This messaging system can be used in higher level libraries
and applications, for communicating with a remote host.
The operation of the Simple Tunnel is illustrated in fig. 1. The client and server
queue messages at each end of the tunnel. The client makes periodic connections to
the server. These connections are HTTP-like, in that the exchange follows the basic
protocol of [7]. The algorithm used by the client is as follows;
could easily be extended to almost any client-server protocol. However, it is packaged
as a library and not as an application—it is designed to be built in to other applications.
This library, called libtunnel, provides a channel for passing arbitrary messages
between the tunnel endpoints. This messaging system can be used in higher level libraries
and applications, for communicating with a remote host.
The operation of the Simple Tunnel is illustrated in fig. 1. The client and server
queue messages at each end of the tunnel. The client makes periodic connections to
the server. These connections are HTTP-like, in that the exchange follows the basic
protocol of [7]. The algorithm used by the client is as follows;
1. If the client has messages to send, it makes an HTTP POST request to the server.
The messages are encoded and sent in the body of the request3. Otherwise,
2. if the client has no messages to send, it makes an HTTP GET request to the
server.
3. If the server has any messages to send, they are encoded and returned in the body
of the response
The messages are encoded and sent in the body of the request3. Otherwise,
2. if the client has no messages to send, it makes an HTTP GET request to the
server.
3. If the server has any messages to send, they are encoded and returned in the body
of the response
Myblog's Blog 