You might have heard of the term tunneling when talking security, but what does it actually mean, why do we need it, how do we do it... and just how many spoons does it take?
The concept is super simple, as is the implementation actually, but let's start with a scenario. Using a simple secure proxy works just fine for general port 80 Internet use, but say I wanted to connect to something that didn't offer me a secure connection, an old mail client perhaps? That retro FTP server I've had running since the early 90s? That IRC bot that was never designed for secure use? That badly designed game or voice server?Remember that these services would have to be running on a server you owned; you could still use a tunnel to connect to other services outside of your "domain", but the traffic from your server TO that service would not be super secure.
By establishing a tunnel to your server in your home territory first, you are removing (or at least restricting) that access.
Another neat concept with tunneling is that you can apply it on either a port level (eg encrypt all port 25 traffic), which will be system wide against that port, or on a system level, which will direct ALL traffic through the tunnel. If you want to be super secure just plugging your proxy server into Firefox just won't be enough... and heck you should be using Chrome now to boot... get with the program!
How do I do this then? - you ask spoon at the ready. First of all remember that there are many different base systems out there, along different versions of SSH, so this will act as a guide only, with a simple Linux server that would be considered a pretty common dedicated server right now (Linux 2.6.18-164.11.1.el5 i686 i386 GNU/Linux). Remember that you can still use SSH with other server variants (Windows Server -shudder- for example), you just need the appropriate software.
Q: How would we establish a connection to the server via SSH to send commands?
A: ssh username@yourserver.address.com
Sounds simple enough? We would obviously have to have SSH enabled for our account on the server, and if we didn't have a certificate to authenticate us it would then ask for a password.
Q: How could I tunnel an port through SSH?
A: ssh -f username@yourserver.address.com -L 25:localhost:25 -N
See how we did that? The -f switch tells the command to run in the background, but you might like to leave it visible for peace of mind. The -L is the local port redirection and the -N tells the server that we don't want to execute any commands, so don't even give us a prompt. So far so good? Remember I don't need to keep these ports the same (great for avoiding port restrictions)... so if my corporate firewall disallowed say... SMTP on port 25, I could remap it to port 2500 getting secure mail AND bypassing the firewall.
All I would need to do with the above is instruct the mail client to connect to localhost on port 25 and I'd be good to go.
Q: How could I tunnel everything through SSH?
A: It's easily possible, but requires more of a workaround. See when your computer accesses Internet services they all sit at different levels and use different protocols to connect, so we can't just demand that all traffic go through a secure channel. FFT we could do this at a ROUTER level. Take a look at http://www.plenz.com/tunnel-everything which will give you an idea on how to accomplish this with Linux and there is always Google if you are choosing to convene with the Devil.
Resources
* http://www.revsys.com/writings/quicktips/ssh-tunnel.html
* http://www.plenz.com/tunnel-everything
FFT
* Reverse Tunnelling - so that you are re-tunneling back to yourself if an uplink needs to be made - http://www.techrepublic.com/article/setting-up-a-reverse-ssh-tunnel/5779944
0 comments:
Post a Comment