HTTP Tunneling

  

As mentioned before, the firewall's function is to block ports to force an attacker to use specific ports that are monitored , for example to force the attacker to use port 80 for HTTP. Port filtering is the concept of allowing certain network ports, but not others, to be visible to the outside world. Ensuring that the only protocol entering the port is the protocol permitted by the firewall is called protocol filtering .

For instance, firewalls may employ an HTTP protocol filter to allow only HTTP connections; however, HTTP filtering restricts the access so that other "friendly" protocols, such as RMI, are not allowed either. These friendly protocols can be "wrapped" within the allowed protocol; in the case of HTTP, this is called HTTP tunneling . HTTP tunneling allows these wrapped packets to be treated as HTTP packets by the firewall and let through. The recipient of the tunneled packets must recognize them and unwrap them. Figure 21-18 shows a diagram of how HTTP tunneling works.

click to expand
Figure 21-18: HTTP tunneling

The Java package java.rmi.server provides classes that implement HTTP tunneling. For RMI, there are two forms of HTTP tunneling: http-to-port and http-to-cgi. Using the http-to-port tunneling, RMI attempts an HTTP post request to an http: URL directed at the host name and port number of the target machine. If the firewall accepts it, the request is forwarded to the listening machine, which unwraps the request and sends an HTTP reply through the same firewall.

However, the firewall may not accept requests to unusual port numbers and so http-to-cgi may be used. In the case of http-to-cgi, the URL has the form of http://intendedserver:80/cgi-bin/java-rmi.cgi?port=intendedportx; the intended server must be listening on port 80 to run the java-rmi.cgi script that forwards the request to the RMI server listening on the intendedportx . The java-rmi.cgi script can be found in the JDK.

Caution  

Using http-to-cgi will redirect any incoming request to any port, creating a security hole on the server.

  


Java Security Solutions
Java Security Solutions
ISBN: 0764549286
EAN: 2147483647
Year: 2001
Pages: 222

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net