SSH Tunneling Explained

Recently I wanted to set up a remote desktop sharing session from home pc to my laptop. While going through the set up guide I came across ssh tunneling. Even though there are many articles on the subject still it took me a considerable amount of googling, some experimenting and couple of Wireshark sessions to grasp what’s going under the hood. Most of the guides were incomplete in terms of explaining the concept which left me desiring for a good article on the subject with some explanatory illustrations. So I decided to write it my self. So here goes…

Introduction

A SSH tunnel consists of an encrypted tunnel created through a SSH protocol
connection. A SSH tunnel can be used to transfer unencrypted traffic over a
network through an encrypted channel. For example we can use a ssh tunnel to
securely transfer files between a FTP server and a client even though the FTP
protocol itself is not encrypted. SSH tunnels also provide a means to bypass firewalls that prohibits or filter certain internet services. For example an organization will block certain sites using their proxy filter. But users may not wish to have their web traffic
monitored or blocked by the organization proxy filter. If users can connect to
an external SSH server, they can create a SSH tunnel to forward a given port on
their local machine to port 80 on remote web-server via the external SSH
server. I will describe this scenario in detail in a little while.

To set up a SSH tunnel a given port of one machine needs to be forwarded (of
which I am going to talk about in a little while) to a port in the other
machine which will be the other end of the tunnel. Once the SSH tunnel has been
established, the user can connect to earlier specified port at first machine to
access the network service.

Port Forwarding

SSH tunnels can be created in several ways using different kinds of port forwarding
mechanisms. Ports can be forwarded in three ways.

1. Local port forwarding
2. Remote port forwarding
3. Dynamic port forwarding

I didn’t explain what port forwarding is. I found Wikipedia’s definition more explanatory.

Port forwarding or port mapping is a name given to the combined technique of

1. translating the address and/or port number of a packet to a new destination
2. possibly accepting such packet(s) in a packet filter(firewall)
3. forwarding the packet according to the routing table.

Here the first technique will be used in creating an SSH tunnel. When a client application connects to the local port (local endpoint) of the SSH tunnel and transfer data these data will be forwarded to the remote end by translating the host and port values to that of the remote end of the channel.

So with that let’s see how SSH tunnels can be created using forwarded ports with an examples.

Tunnelling with Local port forwarding

Let’s say that yahoo.com is being blocked using a proxy filter in the University.
(For the sake of this example. :). Cannot think any valid reason why yahoo would be blocked). A SSH tunnel can be used to bypass this restriction. Let’s name my machine at the university as ‘work’ and my home machine as ‘home’. ‘home’ needs to have a public IP for this to work. And I am running a SSH server on my home machine. Following diagram illustrates the scenario.

To create the SSH tunnel execute following from ‘work’ machine.

ssh -L 9001:yahoo.com:80 home

The ‘L’ switch indicates that a local port forward is need to be created. The switch syntax is as follows.

-L <local-port-to-listen>:<remote-host>:<remote-port>

Now the SSH client at ‘work’ will connect to SSH server running at ‘home’ (usually running at port 22) binding port 9001 of ‘work’ to listen for local requests thus creating a SSH tunnel between ‘home’ and ‘work’. At the ‘home’ end it will create a connection to ‘yahoo.com’ at port 80. So ‘work’ doesn’t need to know how to connect to yahoo.com. Only ‘home’ needs to worry about that. The channel between ‘work’ and ‘home’ will be encrypted while the connection between ‘home’ and ‘yahoo.com’ will be unencrypted.

Now it is possible to browse yahoo.com by visiting http://localhost:9001 in the web browser at ‘work’ computer. The ‘home’ computer will act as a gateway which would accept requests from ‘work’ machine and fetch data and tunnelling it back. So the syntax of the full command would be as follows.

ssh -L <local-port-to-listen>:<remote-host>:<remote-port> <gateway>

The image below describes the scenario.

Here the ‘host’ to ‘yahoo.com’ connection is only made when browser makes the
request not at the tunnel setup time.

It is also possible to specify a port in the ‘home’ computer itself instead of
connecting to an external host. This is useful if I were to set up a VNC session
between ‘work’ and ‘home’. Then the command line would be as follows.

ssh -L 5900:localhost:5900 home (Executed from 'work')

So here what does localhost refer to? Is it the ‘work’ since the command line is executed from ‘work’? Turns out that it is not. As explained earlier is relative to the gateway (‘home’ in this case) , not the machine from where the tunnel is initiated. So this will make a connection to port 5900 of the ‘home’ computer where the VNC client would be listening in.

The created tunnel can be used to transfer all kinds of data not limited to web browsing sessions. We can also tunnel SSH sessions from this as well. Let’s assume there is another computer (‘banned’) to which we need to SSH from within University but the SSH access is being blocked. It is possible to tunnel a SSH session to this host using a local port forward. The setup would look like this.

As can be seen now the transferred data between ‘work’ and ‘banned’ are encrypted end to end. For this we need to create a local port forward as follows.

ssh -L 9001:banned:22 home

Now we need to create a SSH session to local port 9001 from where the session
will get tunneled to ‘banned’ via ‘home’ computer.

ssh -p 9001 localhost

With that let’s move on to next type of SSH tunnelling method, reverse tunnelling.

Reverse Tunnelling with remote port forwarding

Let’s say it is required to connect to an internal university website from home.
The university firewall is blocking all incoming traffic. How can we connect from ‘home’ to internal network so that we can browse the internal site? A VPN setup is a good candidate here. However for this example let’s assume we don’t have this facility. Enter SSH reverse tunnelling..

As in the earlier case we will initiate the tunnel from ‘work’ computer behind the firewall. This is possible since only incoming traffic is blocking and outgoing traffic is allowed. However instead of the earlier case the client will now be at the ‘home’ computer. Instead of -L option we now define -R which specifies
a reverse tunnel need to be created.

ssh -R 9001:intra-site.com:80 home (Executed from 'work')

Once executed the SSH client at ‘work’ will connect to SSH server running at home creating a SSH channel. Then the server will bind port 9001 on ‘home’ machine to listen for incoming requests which would subsequently be routed through the created SSH channel between ‘home’ and ‘work’. Now it’s possible to browse the internal site
by visiting http://localhost:9001 in ‘home’ web browser. The ‘work’ will then create a connection to intra-site and relay back the response to ‘home’ via the created SSH channel.

As nice all of these would be still you need to create another tunnel if you need to connect to another site in both cases. Wouldn’t it be nice if it is possible to proxy traffic to any site using the SSH channel created? That’s what dynamic port forwarding is all about.

Dynamic Port Forwarding

Dynamic port forwarding allows to configure one local port for tunnelling data to all remote destinations. However to utilize this the client application connecting to local port should send their traffic using the SOCKS protocol. At the client side of the tunnel a SOCKS proxy would be created and the application (eg. browser) uses the SOCKS protocol to specify where the traffic should be sent when it leaves the other end of the ssh tunnel.

ssh -D 9001 home (Executed from 'work')

Here SSH will create a SOCKS proxy listening in for connections at local port
9001 and upon receiving a request would route the traffic via SSH channel
created between ‘work’ and ‘home’. For this it is required to configure the
browser to point to the SOCKS proxy at port 9001 at localhost.

Read Full Post »

A Thing or Two About Apache Rampart – Part II

Continuing my adventure with Apache Rampart from my earlier article I decided to follow the DeveloperWorks article on WS-Security. Again I ran in to some issues when I tried using signatures within the messages. Here is a brief account of what happened this time.

First road block I encountered was the error shown below. The error was on the client side and was like this.

org.apache.axis2.AxisFault: CryptoFactory: Cannot load properties:crypto.properties

Client didn’t seem to know where to pick up the properties file describing trust store details. After fiddling with the file paths and failing, I tried the Axis2 list and luckily found a suggestion which helped out with my predicament. The solution was to add the properties file location to the client’s classpath. So with that obstacle out of the way the next break point to hit was this.

problemAction: anonOutInOp
[ERROR] The [action] cannot be processed at the receiver.
org.apache.axis2.AxisFault: The [action] cannot be processed at the receiver.

This time around it was the server side which was giving me troubles. After scavenging a little on the Internet for information I found this article which described the issue as not properly setting the SOAP action when setting up the client. I was guilty as charged. I had forgotten to set the SOAP action at my client. Thanks to that tip I pressed ahead again to come up with this.

org.apache.axis2.AxisFault: WSHandler: Signature: error during message processingorg.apache.ws.security.WSSecurityException: An unsupported token was provided (Problem with SKI information: Support for RSA key only)

Again luckily I found a suggestion on Axis2 list which helped me through. The error was due to the choice of the algorithm that I used generate the key store. Instead of the default DSA using RSA algorithm was the solution.

So after another bumpy ride I was finally able to get it working for signatures and luckily providing encryption capability was pretty much a smooth ride afterwards.

Read Full Post »

A Thing or Two About Apache Rampart

It seems web service security is not the easiest thing to get right the first time as some things in life (at least for me :D). I found this the hard way by trying to secure a service web service deployed in Axis2 with Rampart. Idea was simple. To make a service require a time stamped message from client vice versa. So I added the required parameters for both services.xml at the service side and the axis2.xml of the client side and added and enagaged Rampart module at both sides. Naturally I now expected to things work and see time stamped message flying in and out from my client through the Apache TCPMon setup to intercept the message flow. But I was expecting things to happen bit too early.

Troubles started with Axis2 server installation spitting a ClassNotFoundException for some org.apache.rampart.xxx.RampartXXX . After playing with the installation and Rampart module for some time I found out that there is a set of jars within Rampart module download which I should add to Axis2 installation lib to get over this obstacle. I don’t remember finding any documentation about Rampart stating this fact. Of course I may not have been looking hard enough or looking in correct locations.

But anyway straight ahead I hit another exception. This time it was a depressing org.apache.axis2.deployment.DeploymentException: javax/jms/BytesMessage. This was promising to be a show stopper. Luckily this same issue had come in the Axis2 list and I found that this was due to a version mismatch. I had been using Rampart 1.4 module with Axis2 1.5.1 version. Solution was clear. To use recently released Rampart 1.5 version. Magically that error was no more.

Next up in the “exception line up” was java.lang.ClassNotFoundException: org.apache.axis2.transport.tcp.TCPTransportSender. Apparently this was due to some related jar missing from Axis2 distribution. As per some discussion on Axis2 list I tried commenting out in server axis2.xml to trivially to make things work. I got over the next ClassNotFoundException by commenting out the transportReceiver for TCP following the same logic.

I ran the service client once again not even half expecting things to work. All of a sudden… You can guess my jubilation. Yeah finally my little time stamped SOAP has seen the light of the day. Though a painful experience I learnt that perseverance pays in security business.

PS.

I came across some other types of exceptions during my endeavour which I think can be useful to know for some other person venturing to this area.

org.apache.axis2.AxisFault: Must Understand check failed for header http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd : Security
This can occur due to two reasons as I observed. Firstly if the rampart module has not been correctly engaged to the service this error can occur when invoked. Secondly if either both endpoints are not correctly configured so that one end is not providing for what other end is expecting this error can occur. Say for example the service is configured to accept only time stamped messages then if a client sends it a non time stamped message then this error will occur. The same way if the client is expecting a time stamped message on return and if the service is not providing that this exception will be raised at the client side.

Read Full Post »

ISO27001 & its Business Value

Today most of the businesses have become IT reliant for their core business and administrative activities. Since IT systems play a central role in mangament of sensitive corporate data, information security these systems provide has become a very important aspect. Now with the rapid rise of internet and e-commerce the security requirements has become higher than ever.

For example, before the rise of web applications organizations’ efforts to secure themselves against external attacks were largely focused on the network perimeter. Defending this perimeter entailed hardening and patching the services that it needed to expose, and firewalling access to others. Web applications have changed all of this. For an application to be accessible by its users, the perimeter firewall must allow inbound connections to the server over HTTP/S. And for the application to function, the server must be allowed to connect to supporting back-end systems, such as databases, mainframes, and financial and logistical systems. These systems often lie at the core of the organization’s operations and reside behind several layers of network level defenses. If a vulnerability exists within a web application, then an attacker on the public Internet may be able to compromise the organization’s core back-end systems solely by submitting crafted data from his web browser. This data will bypass all of the organization’s network defenses, in just the same way as does ordinary traffic to the web application. Effectively the applications such as these has expanded the security perimeter of the organization requiring it to divert more effort towards security hardening requirements.

It goes without saying information security breaches can have far reaching effects on the organization in several fronts including monetary and customer loyalty as illustrated in the following case study.

A Case Study

The TJX Companies, Incorporated (NYSE: TJX), is the largest international home fashion departmental store chain in the United States based in Framingham, Massachusetts. By 2004, the company moved up to the 141st position in the Fortune 500 rankings and was a $17 billion worth business. In 2007 TJX revealed that its security system has been compromised and some 45.7 million customer accounts has been affected. The biggest known theft of credit-card numbers in history began in 2005 outside a discount clothing store near St. Paul, Minn. Hackers used a telescope-shaped antenna and a laptop to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. Once in, they were further able to penetrate into the central database of TJX Cos. in Framingham, Mass. During the next 2 years they had been able to smuggle credit card data from the system and sell or use them in fraudulent card transactions amounting to $8 million or more. [1]

What went wrong?

Following information were uncovered during an subsequent security analysis performed. [1]

* Loose compliance with regulatory standards such as PCI DSS (Data Security Standard) for storing and transmitting credit/debit card information.
* Store systems were based on a weak wireless security protocol (WEP).
* Lack of additional security features such as firewalls and software patches on these systems.
* Track2 information, such as account numbers, expiration dates, encrypted personal identification numbers, along with Social Security Numbers and driver’s
licenses, were stored for unusually long periods of time.
* Lack of clear segregation and access control systems implemented for the critical information on TJX’s central servers. This additionally made the information
easily available to the hackers.

Aftermath

* $9.75 million breach settlement charges with 41 states to cover the costs of investigating the incident.
* An initial budget of $100 million for the possible security upgrades
* Several customer law suites for damages
* Heavily damaged customer loyalty and hence loss of business.

From this case study it is evident a well functioning information security framework within the organisation is necessary for preventing such security oversights which can become very costly. This is where a standardized security system becomes vital. Specially IS0 27001 is very important in this regard since it is the de-facto standard for establishing, maintaining and improving an Information Security Management System (ISMS).

Benefits of a ISO 27001 Implementation

From a technical perspective following benefits can obtained from a ISO 27001 implementation.

* Interoperability – Let’s say that a multinational company has its regional branches in China and US. Now the security requirements of the systems may differ in these localities and so will the security system implemenations. However the overall organizational security policy states all the regional information security systems should be in compliance with ISO 27001. So since above regional branches both follow ISO 27001 standardization, then they can achieve a comfortable level of interoperability when it comes to secure business information transactions even though they may belong to very different backgrounds, because of the common set of standardization guidelines that they follow.

* Quality assurance – Whether it is the organization or the business partners, there should be some quality in the information security system and hence of the organization in general. With a suitable ISO 27001 implementation the management can be assured they have a recognised framework for dealing with the information security.

* Compliance – Having a certification against an international standard is desireable and can create a positive image about the organisational security policies among the stakeholders of the business. There is a well defined path for the certification and it is a result of a continous process rather than a one off achievement.

* Benchmarking – An organization can use the ISO 27001 to measure its status against that of its competitors. They can emphasize on their current rank and the developments that they make as opposed to their rivals.

* Security awareness – Since the ISO 27001 implementation and its practice is a continuous process that will engage organisational personnal in various security related aspects it will raise the overall employee awareness about the security aspects. In fact this is one of the most important aspects when it comes to information security. The system is only strong as the weakest link and it has been proven that ill-informed user can be a great security risk no matter how much security systems are in place. So in this respect ISO 27001 is not just about security thorough software or physical infrastructure but it also encompasses influencing the behavioural and cultural aspects of the organization. Even significant change management processes can come in to play, in creating a security aware culture within the organization and may even cause some staff being laid off in some extreme cases due to non compliance behaviour and resistance to the changes.

From a business perspective following benefits can obtained from a ISO 27001 implementation.

* IT alignment of the business processes – To a proper ISO 27001 compliance a good IT alignment of the business activities should be present. A better IT alignment would mean increased efficiency in business processes causing quicker response times and reduction of costs.

* Avoidance and mitigation of damages – From the case study of TJX it is evident the amount of damages due to lack of security can become very significant. These damages both in terms of money, lost sales and customer loyalty, will have a significant adverse effects on organisational profit margins. This will also cause the organisation to divert its energy to cope with the aftermaths of the event in the form of law suits, security consultations etc instead of focusing on its core business activities. If a proper security mechanism was in place none of these would have happend and or at least the breach could have been tracked down earlier mitigating the damages. Since the implementation requires the organization to have backup plans to be in place in order to investigate and compensate if such security breach happens the organisation will be in a better position to handle such a situation.

* Increased profits – ISO 27001 certificate demonstrates that the orgnisation can be trusted to secure customers’ data, as well as their own. Specially corporate customers are likely to realise the benefits of this commitment and this can be helpful in developing a positive image of organisation. Having the ISO 27001 logos on the company literature is a continual reminder to potential and existing customers that the organisation takes confidentially, integrity and availability of their information seriously. This would drive higher customer satisfaction, new customers and increased profitability. This can even be leveraged as a competitive adavantage over the rival organisations. For example in government Tenders the government would favour the orgnisations with sound security policies and may even include a certification such as ISO 27001 as a prerequisite.

* Cost effective and rational security systems – Since the implementation requires clear identification of orgnisational security enviornment and its specific security needs only the required systems and processes will be put in place with configurations specifically suited to organizational security requirements. The organisation may have many technical safeguards, but a proper risk assessment may highlight the safeguards having little or no business benefits and would provide a better return off investment if they were reconfigured to protect assets that required a higher level of protection. This avoids bloated (and in turn costly) and unnecessary rigid (or on the contrary unnecessarily linienet) security systems and allows the organisation to obtain the level of security that’s required.

* Better employee relations – Clear policies and guidelines makes things easier for staff. This will increase employee satisfaction and may help reducing staff turnover. Better security awareness programs,trainings and clear disciplinary procedures will also induce increased professionalism among the employees as well.

* Better risk planning – The information security strategy can be integrated with the overall organisational risk strategy leading to a comprehensive platform on which risk planning decisions can be made.

References

[1] TJX Companies, Inc –  http://publicloud.com/?p=368
[2] Calder Alan and Watkins Steve, IT Governance:A Manager’s Guide to Data Security and ISO 27001/ISO 27002. 4th ed, Kogan Page, London
[3] The ISO27k FAQ. –  http://www.iso27001security.com/html/faq.html

Read Full Post »