How to make TCP packets and UDP packets penetrate the network firewall

Source: Internet
Author: User
Tags client firewall

Through the HTTP tunnel (HTTP tunneling) technology at the same time escape the firewall shielding and system tracking test, we can see that the network security depends on only one or some of the means is unreliable, while the blind dependence on the security system will often cause huge security risks. It is hoped that this paper can arouse the administrator's thinking on the network security protection system.

What is an HTTP hidden channel

What is LAN security, how can the system administrator ensure the security of LAN? This is a constantly changing concept of security, for a long period of time, in the LAN and the outside world to place a firewall, strict control of the open port, you can master the security initiative to a large extent, easy to control the network and other users can use the service. For example, if only 80 or 532 ports are opened on the firewall, malicious people, both inside and outside, will not be able to use some of the services that have proved more dangerous.

However, it should be noted that the firewall in a sense is very stupid, the administrator of the firewall and the excessive reliance on the resulting slack will inevitably form a major security risks, as a proof, "channel" technology is a good example, this article is to discuss.

So what is a channel? The so-called channel here refers to a way of communicating around the firewall port shielding. Packets at both ends of the firewall are encapsulated in the packet type or port allowed by the firewall, and then through the firewall and the End-to-end communication, when the encapsulated packets arrive at their destination, the packets are restored and the restored packets are delivered to the corresponding service. Examples are as follows:

A host system after the firewall, protected by the firewall, firewall configuration access control principle is to allow only 80 port data access, B host system outside the firewall, is open. Now suppose you need to go from system A to Telnet to B. Using normal Telnet is certainly not possible, but we know that only 80 ports are available, so this time using the HTTP tunnel channel is a good idea, as follows:

On the A machine, a tunnel client side is allowed to listen for an unused, arbitrary port on this machine, such as 1234, while directing data from Port 1234 to the 80 port on the remote (b-Machine) (note, 80 ports, firewall allowed to pass), Then a server on the B-machine, also hooked on port 80, also directs 80 ports from the client forward to the local Telnet service port 23, so OK. Now on the a machine Telnet native port 1234, according to the packet will be forwarded to the target port 80 of the B-machine, because the firewall allows the data through 80 ports, so the packet flow through the firewall, to B machine. At this point, the B-machine is listening on the 80-port process received packets from a, the packet will be restored, and then returned to the Telnet process. When the packet needs to be returned from B to a, it will be loopback by 80 ports, which can also pass through the firewall smoothly.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.