Securing Your Traffic

by b1tl0ck

This topic came out of necessity at a recent job I had.  I needed to securely punch parts of my network traffic through the corporate firewall to remotely manage things outside the company.  Also, Instant Messenger (IM) traffic has always been a concern for me.

First, we'll talk about IM traffic.

I did not want my username and password floating around in plain text.  If I were to throw a "network protocol analyzer" (a.k.a. sniffer) up on a network and start capturing packets, I would be able to view all Instant Messenger traffic.  This traffic would include usernames and passwords, along with every message you sent to your chat partner.

The same goes for using IM on your home broadband.  Every time you sign on to AOL Instant Messenger, or MSN Messenger, or Yahoo! Messenger, or (insert popular chat program here), your username and password is sent in plain text over the Internet to the company/service you are connecting to.  Anyone could very easily throw a sniffer up and capture packets for a few hours, then spend some time analyzing what they captured to work out how to impersonate you via chat..

I won't go on about why protecting yourself is important, so on with it.

SSH stands for Secure Shell.  Read all about it at en.wikipedia.org/wiki/Secure_Shell.  Wikipedia does a good job explaining what SSH is/does.  I won't attempt to paraphrase.

Step 1:  You need to be interested in this topic.  We'll assume you are, otherwise you wouldn't be reading this.

Step 2:  Set up/configure a SSH server on a remote/home computer.  I use the integrated SSH server on my Mac.  No additional software needed.  On a PC you'll need OpenSSH or something similar.

Step 3:  Install SSH client software that will connect to the SSH server you just set up.  On a Mac, SSH Tunnel Manager works well.  On a PC, Tunnelier is the best in my opinion.

Step 4:  If you have a router in place, forward port 22 to the IP address of your SSH server.  If you don't, then skip this step.

Step 5:  Create a new connection/tunnel on your client computer to the Internet IP address of your SSH server.  I won't go into details on this step since each program is a little different.  I had to get creative on the actual ports being used to tunnel out of the corporate firewall.  Find an open port and use it.  Just make sure to forward all traffic on that port to port 22 on the server you set up in Step 2.  Hint:  If you can use your IM client without a proxy, you can tunnel your traffic over port 5190.

Step 6:  The next part is an important part.  After you set the details of the connection/tunnel, find the section of the software that allows you to create a SOCKS proxy.  It can be SOCKS4 or SOCKS5.  On the Mac, I just put a checkmark in the box to enable the SOCKS4 proxy and give it a port to run on (you can leave it set to default too).

Step 7:  Connect to your SSH server, authenticate, done.  Be happy that you now have a fairly secure tunnel from your computer to your server across the Internet.

Step 8:  This is another important step.  You need to configure your chat program to use the SOCKSSOCKS proxy you just set up.  The SOCKS proxy server should be 127.0.0.1, or localhost (on a Mac I've found you must use the SOCKS proxy of 127.0.0.1 instead of localhost), and the port should be whatever you specified in Step 5.  I won't go into program details as each program is a little different.  There should be options in the program to do this.  All IM programs I've used support proxy usage, some better than others however.  iChat, for example, doesn't like SOCKS proxies for some reason.  I use Adium on the Mac and Gaim on the PC.

Step 9:  Login to your chat program.  If it works, great!  Congrats, you are now more secure than you were before.

To test out whether or not your chat program is actually connected via the secure tunnel, you can disconnect your SSH connection and see if your chat program logs you out (loses connectivity).

If it does, then it's safe to say you are set up properly.  If you stay connected to your chat program and the SSH connection is not running, then you have an issue somewhere - probably misconfigured chat proxy settings.

What Else Can You Do?

Now that you have an SSH tunnel, you can route any traffic you'd like through it.

Use redirections/forwarding in the SSH client software to route the traffic where you want it to go.  In Tunnelier it's called "C2S Forwarding."  In SSH Tunnel Manager, it's called "Local Redirections" and "Remote Redirections."

Set up a proxy server on your remote server/computer and browse the web using your home broadband connection.  You can set a remote redirection for your POP/SMTP traffic and check your email via Outlook or whatever mail program you'd like.

Set a local redirection on port 5900 and you can VNC into any computer on your home network.  Again, to test out whether or not your traffic is traveling through the SSH tunnel, simply disconnect the SSH connection and try the connection.

If it connects, something isn't configured properly.  If it does not connect, it's safe to say everything is working as intended.

Oh, one more thing...  If you do this on your work computer and your IT department finds out what you're doing, they will likely be less than pleased.

My advice is to make friends with your IT support people (deskside technicians, network admins).  I can almost guarantee each of them is doing this already.  Be their friend and they may even set this up for you, or tell you what port to use.

If you are rude to them, prepare to be reported to management for breaking company guidelines.

Oh, one final note...  Usual disclaimers apply.  Don't break the law, etc.

Happy trails (or lack thereof).