HTTP tunneling is a method in which non-legitimate data is sent using HTTP protocol. This is acheived using a client-server HTTP tunneling application, and is usually done to bypass the security provided by common firewalls, as firewalls usually allow HTTP traffic. A properly formatted HTTP packet is used which passes the standard HTTP checks and L4 firewalls. HTTP tunneling works with a host running the server side applciation. The outside user runs the client side applciation, which is used to send HTTP encapsulated communication to the server application. The server then interprets this information and opens the connection to the desired host, and this bypasses the security.
Real Servers and Server Farms
To provide services to clients, you configure real servers (the actual physical servers) on the ACE. Real servers provide client services such as HTTP or XML content, hosting websites, FTP file uploads or downloads, redirection for web pages that have moved to another location, and so on. The ACE also allows you to configure backup servers in case a server is taken out of service for any reason.
Servers are organized into related groups called server farms. Servers within server farms often contain identical content (referred to as mirrored content) so that if one server becomes inoperative, another server can take its place immediately. Also, mirrored content allows several servers to share the load of increased demand.
Blocking HTTP Tunnels
Most standard firewalls cant block HTTP tunnels which are cleaverly disguised. Although firewalls do have HTTP inspection; it only checks for proper HTTP packet and header, which is there in HTTP tunnels. Several HTTP tunneling methods exist, like HTTP CONNECT, POST, GET, PUT, DELETE tunneling. To block this traffic requires a deeper packet inspection using custom regex. Custom regex is not possible in case of firewalls like PIX and FWSM
pixfirewall(config-cmap)# match request header ?
mpf-class-map mode commands/options: accept Accept field accept-charset Accept-Charset field accept-encoding Accept-Encoding field accept-language Accept-Language field allow Allow field authorization Authorization field … pixfirewall(config-cmap)# match request header X-? ERROR: % Unrecognized command
ACE/PIX/ASA come with a built-in “port-misuse” directive in HTTP inspection engine. But it doesn’t really help here. The engine looks for these fixed regexes: FIRETHRO: "[/\\\\]cgi[-]bin[/\\\\]proxy" HTTP_PORT: "[ \t]+photo[.]exectech[-]va[.]com" UAGENT_GNUTELLA: "[Gg][Nn][Uu][Tt][Ee][Ll][Ll][Aa]" YAHOO: "YMSG.*" KAZAA: "[Xx][-][Kk][Aa][Zz][Aa][Aa].*“
Configure ACE to block HTTP Tunneling
Follow these steps to block HTTP tunneling using ACE:
1) Define a class-map that matches port 80: switch/lab(config)# class-map match-any http switch/lab(config-cmap)# match port tcp eq www
2) Build header regexes: if we see both headers, match! switch/lab(config)# class-map type http inspect match-all headers switch/lab(config-cmap-http-insp)# match header X-Counter header-value .* switch/lab(config-cmap-http-insp)# match header X-Session header-value .*
3) Instruct ACE to drop packets that match the regex switch/lab(config)# policy-map type inspect http all-match htpolicy switch/lab(config-pmap-ins-http)# class headers switch/lab(config-pmap-ins-http-c)# reset
4) Apply the HTTP policy to port-80 traffic: switch/lab(config)# policy-map multi-match nofirepass switch/lab(config-pmap)# class http switch/lab(config-pmap-c)# inspect http policy htpolicy url-logging
5) Map the policy to the client-side interface: switch/lab(config)# int vlan 20 switch/lab(config-if)# service-policy input nofirepass
Following is a sample configuration for SSL tunneling
parameter-map type http CASE_PARAM
set header-maxparse-length 65535
set content-maxparse-length 65535
class-map match-all CLEAR_TEXT_VIP
2 match virtual-address 172.20.120.19 tcp eq www
policy-map multi-match JORGE-MULTIMATCH
loadbalance vip inservice
loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
ssl-proxy client SSL-PROXY-JORGE
ssl-proxy service SSL-PROXY-JORGE
serverfarm host ENCRYPTED-SERVERFARM
rserver JORGE-SERVER 443
Check for the following ACE logs to verify if blocking is working fine
%ACE-6-302022: Built TCP connection 0x76 for vlan20:10.20.10.100/52431 (10.20.10.100/52431) to vlan100:10.10.10.101/80 (10.10.10.101/80) %ACE-5-304001: User:10.20.10.100 Accessed URL 10.10.10.101:/cgi-bin/firepass-1.1.2a/fpserver/fpserver.cgi %ACE-6-302023: Teardown TCP connection 0x76 for vlan20:10.20.10.100/52431 to vlan100:10.10.10.101/80 duration 0:00:00 bytes 508 Policy Close
I have a multipod ACI fabric With 3 apics.Trying to get snmp working, and following Cisco doc's, I get 1 of the 3 apic's working.2 of my apic's does not reply to the snmp get request from my managment station.Does anyone have any tips for getting it to wo...
Hi, I have a lab where I have deployed a triangle of bgp evpn NXOS 9000v switches. On each side of the triangle a have a host. Lets say the following: Host A with mac a.a.a.a in side A of the triangleHost B with mac b.b.b.b in side B of the...
Dear Community, I'm trying to do a POC for a client of VXLAN and I notice that I'm unable to ping systems from one leaf on another leaf. The weird thing is when I wireshark it I can see the ARP request from the source machine and the reply from the d...
Hello dear community members, We have two switches Nexus 3064-X and we would like to build a new iSCSI SAN. Expected iSCSI storage performance is 30 Gig iSCSI-A + 30 Gig iSCSI-BMy questions:1) can Nexus 3064-X handle such workload?2) in general, what...