Protocol Verification by Proxies

It’s worth noting in any environment which actively uses proxies, that circuit level (generic) tunnelling such as those use by SOCKS and SSL tunnels will normally allow any protocol to be passed through the proxy. The implication of course is that the proxy doesn’t understand the protocol merely passes it on, which means also that the server cannot verify what is happening at the protocol level. This can be a dangerous situation especially if the proxy offers a gateway to internet or external traffic from the internet.

For illustration, any SSL tunnelling protocol can usually tunnel any TCP based protocol – so it could actually be used to telnet directly into the server. There are some huge dangers to allowing any server to transport protocols like this with no consideration to the operational requirements. It’s like leaving a huge back door to your network unless it is properly managed. There are of course options to control these protocols and one of the simpler is to restrict tunneling based on specific ports. So you would allow 443 open to allow HTTPS traffic, 563 for News and maybe 636 for secure LDAP. You’d have to extend this list to consider any other application or protocol requirements needed such as Windows Active Directory or Remote Access.

It works, is simple to implement however the reality is it’s not that secure. The well-known ports are only recommendations and there’s nothing to stop protocols being used on non-standard ports although of course this could cause issues in receiving the data if the servers are not configured to listen on these ports too. This VPN solution discussed on this page called Identity Cloaker which is used to access US versions of Netflix tunnels on a non-standard port for SSL traffic and allows the user to switch to any port.

This means you’ll be left with the unenviable situation where you’ll suspect dangerous traffic is being transported on a non standard port. This method of control means you’ll end up breaking other vital services if you attempt to block the port too. It’s not a long term solution although it is something that can be implemented whilst you try and create something more sophisticated.

The most efficient solution of course is to ensure that the proxy server can verify the protocol it is transporting. Therefore if someone is using non-standard ports or tunneling using a banned protocol or attempting to use a fake IP address like this for example then the proxy wil be able to highlight this issue. Once you have this awareness you can expand the functionality of proxy by building in more intelligence. The server can be used to identify common misuse and external attacks including attempting to use SSL to tunnel their terminal connections via Telnet.

Leave a Reply

Your email address will not be published. Required fields are marked *