 What is tunneling? Tunneling is essentially creating a virtual data path between two computers using their protocol. The example given is you can use the HTTP protocol between two machines to do telnet. There's a bunch of available tunneling software, but the most popular one right now is the new HTTP tunnel. It's really generic and it's really quite nice. It's been developed by some groups, some guys at no crew. There's also a variety of home ground solutions that do roughly the same thing that HTTP tunnel does. You can use it as well designed, don't handle proxies near as well. This is an example network. We've just got the firewall only allowing outgoing connections on port 80 for regular HTTP. All their access is blocked. An example being 23 for telnet is blocked, 21 all the standard ports. That's the only way you can get out. Let me flip over this. Type telnet space home and unable to connect to remote host connection refused. This machine is home by the way for this. The MAC is the other one. Let me start with the HTTPS tunnel server on home. Now we've established half of a connection, well actually a third of the way it's set up right now. Now we run the client side on the other machine. Now we have a virtual data path between two machines. Now I'll just do telnet to this machine, work on port 2323 because that's why I've set it up with a minus F option. It's connected to the other remote machine now. You can get by pretty much any standard blocking procedure because a lot of people with their firewalls will allow anything out on port 80 because that's what you use for HTTP access for just regular web browsing stuff like that. You can use this to run anything you want to pretty much. You can run X over it, SSH, anything. I would never run telnet over it in a real world situation because that's just stupid. Let me go back to the thing now. That's actually a bug with rock. It tends to, it does three, two, one every time you type a character. But it makes a live more impressive at least. So how does HTTP tunneling work? Well we've started both HTTPS and HTTPS on the respective machines. We've set the command and what it does is it encapsulates that into an HTTP packet, sends it via HTTPS over to the other machine and the HTTPS receives that, tears apart the HTTP packet and then sends the command locally. And then it also passes the data back of course. The basic protocol is formatted in a really simple, it's a very simple protocol they've laid out. This protocol has to pass through a variety of proxies along the lines of squid, pretty much anything. If you can get access out any way, you can use this to do port forwarding other types of options. The protocol has seven different requests. Five requests send additional data and two just send a command to it, to their side. The two types of requests are the request with a 0x40 bit consists of one byte with just command in it along the lines of open, close, disconnect. And the request with a 0x40 byte clear have a two bit length field along the variable data field. I'll show you in a second. There are seven different requests, tunnel open, tunnel data, tunnel padding, tunnel error, tunnel pad one, and tunnel close and tunnel disconnect. Tunnel open is just the first request. You send that from the client to the server and it creates a virtual data path. Data is just whatever the command you want to encapsulate into an HTTP request. The example being when it's converted into like the tunnelnet command, it puts that into an HTTP cell header that's compliant with the standard. The padding is used if you're going through a proxy like squid. Because squid usually you send it to 32K. And it will fill up the rest of that data so it will actually send that command now so it's just holding in the proxy. And it will also use that on the way back so you can get the command right away. Tunnel errors in case you have a rare example where you have an error in this connection. Right now this is not a really robust protocol because you're running another protocol on top of HTTP and taking advantage of get and put. And that can occasionally have problems if you're going between incompatible versions of stuff. Tunnel pad one just exists if you have a buffer size set greater than 32K. I mean, very rarely do you do it in a proxy but you have a really low link connection you will. But also I would beat the crap out of the system because it sends a bunch of one byte packets and every one of those just has to be encoded. Tunnel close, close at the tunnel. Pretty much straightforward. Tunnel disconnect is used to temporarily disconnect the connection. So very simple protocol. That's one of the reasons why it works so well. Because they've designed it pretty robustly and it works on a variety of systems. We've used it a few times and I'll say where you use it in a little bit here. Actually right now. Why tunnel? One of the reasons what you do is you have a static link program without source. Some of them expect a certain port and you cannot give them that port. Example being if you have a web server that only will work on port 80 and you have to move to 8080 for some various reasons you can use this to do a shift of it. Another reason is you have limited access to the outside world. A lot of times like if you're using a connection like Altavista and you don't give you port 25 or SMTP, it will give you port 80. You can use this to send stuff remotely. And of course the third reason is evil system administrators trying to hold you back. The question is how do you combat tunneling? The first thing is sniffers work great. Because nothing tends to deter people more than seeing a dump with all their passwords and count names on their desk in the morning. If they're stupid enough to use a tunnel program and you told not to, they're probably stupid enough to use some of this unclear text. Another thing is look for signatures of the tunneling software. If you use the source for HTTP tunnel, there are certain signatures you can find in it right now. As I was saying, use the source loop. Another way to do this is policy. Explain to security problems someone could be opening up. Obviously an example being here that it's great going out, but we could also do this somehow getting in. I could open a port that's a very high number and no one would even allow that stuff in. I could shift that to some part of the machine. And the other way to really combat tunneling is education. Ask why people are using tunneling software. Can you help them remove the need for it? Like by installing a socks proxy or something. There's an old story about Patton when he was at West Point. He was part of the faculty, he was a student, part of the student government. And he was asked what they could do about people walking on the grass all the time. And his response was, well, put sidewalks where the people are walking. This is the same idea. If they're using the tunneling software, usually they have a reason for it besides just to be dicks. And the answer is to help find out what that problem is and help them find a solution for it. What's the future HTTP tunnel? They've got a bunch of things they're going to do with it. These are the ones I thought were most important. They're going to add SSO encryption someday. They're waiting until after September 20th when the RSA Patton expires and they also have to deal with the export restrictions, which not a lot of people are thrilled with. Data compression. There's a version of it out there that uses Zlib, but it has some issues. You're always padding the entries out with HTTP headers, which can be quite wasteful. They're also trying to extend it so it can work with other protocols like FTP. Their goal eventually is to be able to call it XTP tunnel. They'll use any transport, use Telnet, anything to do it. They're working on that. It's still very early, but it's going to really change the way it works because it's going to make it very hard to detect and stop. And the other way they're trying to do is they're trying to add this now, simple encoding of red trivial sniffing. Not Route 13, but a little bit more advanced than that. They're trying to add some random type signatures to it. Tunneling is a very valuable tool. We've used it a little bit here and there because it's helped us in certain situations where we need to use it. Tunneling can also bypass security measures. That's probably the biggest single problem with tunneling. It can bypass any firewall you have if you set it up correctly. Because you're creating a virtual path and whatever you're adding on top of that is up to the user. What you're doing is you're hiding the data inside a more acceptable protocol. And education and training are pretty much the best defense. The main links for that is the new HTTP tunnels website and the firewall and the interesting mini how to. You can find either one of these just by doing a search in Google without any problems. The first question anyone always asks me is is there a Windows version of it? And the answer is yes there is. It runs under the Cygnus Cygwin Toolkit. The other question I usually ask is is there a Macintosh version of it? And no there's not. It will run on Mac OS X server edition, but it hasn't been officially ported yet. There's also works on pretty much any standard version of Unix like FreeBSD or Solaris running on the standard ones. The third question I usually get asked is, hang on a sec, will it run on a web server? Since I've overloaded port 80 on this, will this work consistent concurrently with a web server? Right now I'm not, but they all work on that as well. But we're not sure how that's going to work because we're going to have to override the way the behavior happens a bit right now because it has one session on both sides that you want a web server to fork off multiple copies to handle that. It's not working on that piece. Any other questions? Sure. Does it work through once here? It works through network address translation that will work through that if you can get a direct path back to it. If you're dealing with real masquerading, no because it doesn't have a path back. It will work outgoing of course, but coming back it won't work into it. So that's one of the first steps of defense of it. Yes? So what is this designed for? Some options that will go through like any standard proxy. Sometimes you have to figure out the real port the proxy exists at and the FAQ has the instructions for doing that. I don't have a proxy set up on this one, but it does work with squid and all the standard ones I've seen. Yes it is. If you send it in clear text, you're asking for it. What you do is you run a more secure protocol on top of like SSH if you want to protect your stuff. It will light you up with a simple basic encoding on it. Like if you've got spaces in your password which I do and most people should, it will escape those but the password is pretty trivial to figure out. So always, this is just a great tool to use but make sure to use something secure on top of like SCFDP or SSH and stuff like that to give you an additional level of stuff. Yes? Yes it does. They've added a fix in 303 that has a random ID to the end of it so it does not have the same entry. So you can have like my first command is got certain trailing information on it. By second I'll have another random number and so on and so forth. So you'll add a lot of random entries to the cache but each one will be unique so you won't have a replay problem. It'd be really tough to play back the session. The question is could you run across the entire telnet session in the cache? Yeah. I mean if you've got your proxy turned on or you've got your proxy logging everything it's going to do a straight dump on this session. So do not use this with telnet. That's rule number one. Yes it actually does encapsulate it in real HTTP. It does comply with 3.0 standard. Could you repeat the last part? It will be seen as ordinary web traffic in the most part but there will be certain signs that you can see if you know what to look for because it does use certain identifiers in a different way than regular like Netscape tends to do things. But it's kind of hard to find but you can go through a log if you know what to look for. They're working on adding that. That's the simple encode and they're trying to make it look more like a Netscape session or something else. You can't. That's the problem. The answer to the question is can you prevent it from getting through a firewall? If you open up any port you can use software like this to get through the firewall. You can do some things like network access translation to make it tougher to get so they can't open something inside your local net. But to get out you can't stop it. You can also use this to go out and hit other sites. Actually you can use your home machine, set up a Netscape session on that, send the X window stuff through and browse all the porn you want to while you're at work in regards to how they block stuff. I'm not saying you would but some people do. Here's the question about the performance. The performance can suck. It's encapsulating every single command inside a Netscape header. The secret to this is have a good connection. I didn't have a cable mode so I probably wouldn't try it. Also the question is what you're sending across it. Like when we send X across it, unless you're using compression options inside the later versions of X, you are going to be paying a lot because it sends everything back and forth. This is a unique packet. The question is if I try to use delegate SSL proxies, so just using regular HTTP proxies, the answer is no I haven't yet. They probably have done it at this site. They do have a mailing list so that's pretty good. Actually if you use something with compression, that's the reason they're going to add Zlib to it to help improve the performance on it quite a bit. Way back there. The question is to think about it shorter, is can you use this with something like a Java app to move stuff around in terms of ports? Yes you can, but the question is with the performance issues of it, I don't think it would really be that useful. You can obviously take a look at the source. It is open source. And some of the pieces there are very good. There's also more generic port forwarding tools like leapfrog which you might want to take a look at because that will do some of that work. And you can hit www.coste.com slash leapfrog or do what I do and hit Google and do leapfrog search. Any more questions? Yes sir. That's a very good question. What happens if you have a port 80 on your home computer? It's very you've opened up a port to, you can bind what port that can connect to. So if you do have something like SSH you can only bind it so it can hit that SSH port. You can just basically port forwarding on this end. So your host out a while will launch it. No actually just tell me to use that. SSH has its own configuration utilities you can set. Yeah, okay. Then yes you can use that situation. Yes sir. The question is can you use this at a proxy to send requests out to your home machine and have that do the surfing for you. I haven't done that. It may be possible. What I've done is I've run X across it and then just brought up a Netscape from my home machine. It was quite slow but it did work. Yeah probably not because of the overhead of sending back all the stuff. I mean it worked better than doing it the way I was doing it running X where it sends every pixel back to you. But I'm not exactly sure on how the performance of that would work using it that way. It's a great question to ask on the mailing list. They're a pretty active group. They're up to version 303 now and they're getting ready to release 304 and they'd love some help getting it up to SPAC where they want it to go in a couple areas. Yes. Any other questions? Okay the main purpose of this is to help educate people to a firewall will not stop all your problems. It's a great first step but you also have to understand what the firewall does and doesn't allow and that's just a part of the process of learning how to do what it does do keeping in touch with your users because if you do put up walls high enough against your user they will find ways around them. They always have and they always will. Thank you very much.