Using TCP encapsulation to bypass firewalls

Author	All Replies
EGeezer Spring is here Premium join:2002-08-04 Country! ·RoadRunner Cable ·AT&T CallVantage	Using TCP encapsulation to bypass firewalls Well, we get lots of requests by people wanting to bypass their company firewall, but they usually involve proxies and dodgy applications. But, by employing a little-known implementation of TCP/IP, they can use simple HTTP to encapsulate TCP connection requests. With no cooperation from a firewall operator, the FEP allows ANY application to traverse a Firewall. Our methodology is to layer any application layer Transmission Control Protocol/User Datagram Protocol (TCP/UDP) packets over the HyperText Transfer Protocol (HTTP) protocol, since HTTP packets are typically able to transit Firewalls. This scheme does not violate the actual security usefulness of a Firewall, since Firewalls are designed to thwart attacks from the outside and to ignore threats from within. The use of FEP is compatible with the current Firewall security model because it requires cooperation from a host inside the Firewall. FEP allows the best of both worlds: the security of a firewall, and transparent tunneling thought the firewall. ... See IETF spec »tools.ietf.org/html/rfc3093 -- Mayors of New York come from nowhere and go nowhere. Wallace Sayre (apparently, so do governors... )
	to forum · permalink · · 2008-04-01 00:24:10 ·
Killer Maxx @rr.com thumbs down from: Cabal	If "Firewalls are designed to thwart attacks from the outside and to ignore threats from within" then what circumstances would require you to "encapsulate" your outbound TCP/IP packets to get out ? Also, HTTP rides over TCP, so putting TCP inside HTTP is like sticking your head up your ass and expecting to breathe some fresh air from your inside-out nose. I smell more than one rat in this one.
	to forum · permalink · 2008-04-01 01:15:56 ·
GercekSeytan Rockin' with Raki join:2001-10-19 Turkey	reply to EGeezer This is all wayyyyyyyy beyond me as a "typical user". Then again, the date of that document is 1 April 2001. I smell a rat...or a geezer as the case may be.
	to forum · permalink · · 2008-04-01 07:07:28 ·
Khaine join:2003-03-03 Australia edit: April 1st, @08:18AM	reply to EGeezer Personally I prefer the use of the security flag, as per rfc3514 »www.ietf.org/rfc/rfc3514.txt
	to forum · permalink · · 2008-04-01 08:18:12 ·
jvmorris I Am The Man Who Was Not There. Premium,MVM join:2001-04-03 Reston, VA	reply to EGeezer Oh, I remember this one! One of my all-time favorites!! Now, if I could just find my old copy of the classic rendition of "Suckertime, and the livin' is easy". -- Regards, Joseph V. Morris
	to forum · permalink · · 2008-04-01 09:44:01 ·
Cabal Premium join:2007-01-21 02101	reply to EGeezer IP over DNS is cooler.
	to forum · permalink · · 2008-04-01 10:30:09 ·
aryoba Premium,MVM join:2002-08-22	reply to Killer Maxx said by Killer Maxx : If "Firewalls are designed to thwart attacks from the outside and to ignore threats from within" then what circumstances would require you to "encapsulate" your outbound TCP/IP packets to get out ? Also, HTTP rides over TCP, so putting TCP inside HTTP is like sticking your head up your ass and expecting to breathe some fresh air from your inside-out nose. I smell more than one rat in this one. Well, maybe this FEP works in theory. I would believe FEP works in field when I see the HTTP message real-time captures.
	to forum · permalink · · 2008-04-01 10:42:32 ·
ahulett Equal Rights - It's Time Premium join:2003-02-02 Redmond, WA edit: April 1st, @12:18PM	reply to EGeezer I find it easier tunneling to the Internet via my flux capacitor. Luckily to generate the 1.21 gigawatts I need I just swing by Amazon.com for fuel. It has a great customer review which is why I went with it. -- Aaron Hulett \| Senior Spyware Researcher \| Microsoft Malware Protection Center This posting is provided "AS IS" without warranty, and confers no rights.
	to forum · permalink · · 2008-04-01 12:12:17 ·
mikenolan7 Premium join:2005-06-07 Torrance, CA	reply to EGeezer It's an ideal response for people that come here wanting help getting fired. If you can't pull that off on your own...
	to forum · permalink · · 2008-04-01 12:13:00 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL ·AT&T Midwest	reply to EGeezer But, by employing a little-known implementation of TCP/IP, they can use simple HTTP to encapsulate TCP connection requests. How well is that going to work, if your only HTTP access is through a caching proxy server? -- AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13
	to forum · permalink · · 2008-04-01 12:37:04 ·
TheWiseGuy Dog And Butterfly Premium,MVM join:2002-07-04 Yonkers, NY	reply to EGeezer I prefer to encapsulate my TCP in an NaCL coating.
	to forum · permalink · · 2008-04-01 12:45:43 ·
nwrickert sand groper Premium,MVM join:2004-09-04 Geneva, IL	I'll take that with a grain of salt.
	to forum · permalink · · 2008-04-01 12:51:40 ·
EGeezer Spring is here Premium join:2002-08-04 Country! ·RoadRunner Cable ·AT&T CallVantage	reply to nwrickert Ah, no problem :) the Caching proxy server will simply pass the entire encapsulated request. 3.0 FEP Protocol Figure 1 shows a high level view of our protocol. The application (1) in host A (outside the Firewall) sends a TCP/IP datagram to host B (within the firewall). Using a tunnel interface the TCP/IP datagram is routed to our FEP software (2), which encodes the datagram within a HTTP message. Then this message is sent via a HTTP/TCP/IP tunnel (3) to host B on the normal HTTP port (4). When it arrives at host B, this packet is routed via the tunnel to the FEP software (5), which decodes the packet and creates a TCP/IP datagram to insert into host's B protocol stack (6). This packet is routed to the application on host B (7), as if the Firewall (8) never existed. Gaynor & Bradner Informational [Page 3] RFC 3093 Firewall Enhancement Protocol 1 April 2001 host A host B ---------- ---------- \| App \| (1) \| App \| (7) \|----------\| \|----------\| \| TCP \| \| TCP \| \|----------\| \|----------\| \| IP \| \| IP \| (6) \|----------\| \|----------\| \| FEP dvr \| (2) \| FEP dvr \| (5) \|----------\| \|----------\| \| TCP \| \| TCP \| \|----------\| \|----------\| \| IP \| Firewall (8) \| IP \| ---------- --- ----------- \| (3) \| \| ^ (4) +---------------->\| \|-----------------------+ \| \| \| \| --- Figure 1 3.1 HTTP Method FEP allows either side to look like a client or server. Each TCP/IP packet is sent as either a HTTP GET request or a response to a GET request. This flexibility work well with firewalls that try to verify valid HTTP commands crossing the Firewall stopping the unwanted intercepting of FEP packets. -- Mayors of New York come from nowhere and go nowhere. Wallace Sayre (apparently, so do governors... )
	to forum · permalink · · 2008-04-01 12:53:07 ·
Damon85 Premium join:2004-12-25 Louisville, KY	reply to EGeezer Glad someone finally thought of the idea to use a VPN to bypass a corporate firewall. How we got along so well thus far without the concept astounds me. Hope no one in IT notices the high volume of HTTP requests your workstation made to the same outside address, over and over... and then hopefully they don't notice that all those requests are incomprehensible gibberish, which is quite uncharacteristic of HTTP....
	to forum · permalink · · 2008-04-01 12:58:19 ·
Noah Vail Serial Thread Killer Premium join:2004-12-10 Lorton, VA ·Verizon BroadbandA.. ·VoicePulse	reply to EGeezer Ah. VPN it is then. You COULD plop Portable Tor on a thumbdrive along with your favorite portable browser. »portabletor.sourceforge.net/ NV -- Abortion: A Republican Plot to Thin the Liberal Herd.
	to forum · permalink · · 2008-04-01 14:30:29 ·
Guspaz Guspaz Premium,MVM join:2001-11-05 Montreal, QC	reply to EGeezer Re: Using TCP encapsulation to bypass firewalls While that is an april fool's joke, one mustn't forget that http tunneling actually IS useful (and real).
	to forum · permalink · · 2008-04-01 15:35:27 ·
i1me2ao join:2001-03-03 TEXAS	reply to EGeezer go ahead and loose the job there slick.. -- »www.thereligionofpeace.com/
	to forum · permalink · · 2008-04-01 16:19:43 ·
brianiscool join:2000-08-16 Miami, FL	reply to EGeezer If you want you can block these TCP port 80 bypasses, by setting up a layer 7 firewall packet inspection.
	to forum · permalink · · 2008-04-01 18:42:00 ·
Bryan001 Premium join:2002-08-17 Saint Louis, MO	Then people would start using SSL to encrypt it -- imtim83 for MVM
	to forum · permalink · · 2008-04-01 19:00:29 ·
EGeezer Spring is here Premium join:2002-08-04 Country! edit: April 1st, @11:40PM	reply to EGeezer The responses to this All Fool's day RFC has been entertaining, and enlightening! Some of them even approached Ted Steven's tubes..
	to forum · permalink · · 2008-04-01 23:39:21 ·


Thursday, 21-Aug 00:39:17	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF