1
Summary
This file describes the penetration solution of the entire ECP system, including the UDP penetration technology used in the original Cyberphone, and the forwarding technology and tunnel technology to be used in ECP, as the communication development department and other relevant personnel.
2 text
ECP is a corporate communication platform built on the Internet. In general, the Sever end frame is located on the public, and the client end can be located inside the different area network, as shown in the figure:
Since the client end in different regional networks cannot be accessed directly, there is a need for indirect access. At present, the available techniques are:
1. UDP penetration, the technique used in Cyberphone, closely related to NAT or Proxy characteristics.
2. UDP forwarding to solve the problem of symmetrical NAT can't penetrate.
3. TCP forwarded to solve the case where the UDP port is not open.
4. The HTTP tunnel forwards to solve the only way to open the Web agent.
3 background knowledge
Since the penetration technology is closely related to the characteristics of NAT or Proxy, the following is a brief introduction.
3.1 Introduction to NAT and Proxy
Online Address Translation (NAT, Network Address Translation) to convert virtual IP address within the external true IP address and the interior of the area network. NAT provides at least two advantages, one is to solve the illegal IP site inadequate, and the other is to hide the internal IP address to protect the security of internal networks. General NAT should provide one-to-one and multi-to-one IP address conversion.
Application Proxy. The so-called application agent is a soft body executed on the firewall to simulate the source of the network connection and the destination, each different network application (such as HTTP, FTP, Telnet, SMTP, POP3, etc.) There is a proxy program to simulate its network agreement. Since the application layer agent firewall is located in the seventh layer of the online architecture OSI seven, it can be checked and recorded for more detailed inspection and records for network transmission activities through the firewall. For example, the recipient can be controlled by POP3 Proxy. Letters size or reject source address.
3.2 NAT and PROXY Diversity
In order to solve the problem of net security and IP, the network is multi-NAT (network location mapping) and proxy (proxy server), NAT is a few or even a wide range of network spaces. The site, and it also has a role in hiding the internal network structure, with certain security, NAT can be implemented by the router configuration. Proxy is based on the application level, which accepts an external application connection request, after the security check, then connect to the protected network application server, so that the external service user can use the internal network service under the premise of control. Alternatively, the internal network to the external service connection can also be monitored, and Proxy can also use a NAT mode.
Due to the specific implementation of NAT and Proxy, there is no differentiation, so there is such differences in specific implementation details. For example, the NAT configured by using different vendors' ROUTER will be substantially divided into:
★ full-tight NAT
★ Address limited
★ 受 限 型
★ symmetrical
The above NAT implementation principle is not the same, and it is impossible to have a general penetration method.
3.2.1 Penetration General Principle
The principle of the NAT and Proxy is shown in the above figure.
First, a packet is sent to an external computer (10.0.0.3:1049) by the internal computer (10.0.32.32.68:80).
When the data package passes through NAT or Proxy, NAT or Proxy converts the source address of the packet to the source address of the packet to NAT or Proxy's external IP address and port (10.0.0.3:1049→ 24.1.70.210:40960). At the same time, a record is added to NAT or PROXY (10.0.0.3:1049 10.0.0.1:4056 24.1.70.210:40960 128.32.32.68:80), the relationship between the internal computer port and the mapping IP port and the target IP port is saved. Then, send this packet to the target machine. After the target computer receives the packet, the source address and source port (24.1.70.210:40960) can be parsed by the packet (24.1.70.210:40960). The data to the source site and port (24.1.70.210:40960) were sent with the received port (24.1.70.210:40960).
After the packet reaches NAT or Proxy, NAT or Proxy obtains source IP and ports from the packet (128.32.32.68:80 24.1.70.210:40960). Find from the table to get the record (10.0.0.3:1049 24.1.70.210:80960 128.32.32.68:80), NAT or Proxy to modify the source site of the packet to NAT or Proxy internal IP address and Port (128.32.32.68:80→10.0.0.1:4056), modify the target address and port to the internal computer IP and port (24.1.0.210:40960→10.0.0.0.0:1049), then send data to internal computer.
Thus, by issuing, send back, initiated by an internal computer, an external computer response, completing the penetration of Proxy or NAT.
3.3 Characteristics of various types of NAT and Proxy
According to the different processing of NAT and Proxy mapping ports and return judgments, it is divided into full-pass, and the address is limited, and the limit is limited, symmetrical. The specific characteristics are described below:
3.3.1 Full-Terminal
The full-way feature is: the internal same IP and the same port (Host A), whether it is sent to the external IP and port (Host B and Host C), all maps into the same IP and port, and, external IP and port (Host B and Host C) can send data from the mapped external port to the inside.
This type of security level is the lowest.
3.3.2 Address limited
The bit address is characterized by: the internal same IP and the same port (Host A), whether it is sent to the external IP and port (Host B and Host C), all maps into the same IP and port, and external IP Only IP (Host B) of the port (Host B and Host C) can send data from the mapped external port to the inside. That is, data transmitted from the outside to NAT or Proxy, only for the source order.
This type of security has improved compared with the full-pass type.
3.3.3 受 型
受 受 型 型:: i 端 i 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能 能Send data from the mapped external port to the interior. That is, the data transmitted to the NAT or Proxy of the outside, only the source IP is checked.
This type of security has improved compared with the full-pass shape, but is lower than the address.
3.3.4 Symmetrical
The symmetrical feature is: the interior of the same IP and the same port, sent to the external IP address and port, the IP address on the NAT or Proxy is different, and the external IP and port can only be The external port of the corresponding NAT or Proxy sent data into the interior. This type of security is the highest, and thus the original Cyberphone cannot penetrate this type of NAT or proxy.
In order to enhance the safety, for a certain NAT and Proxy, it may have multiple types of features at the same time.
4 UDP penetration
UDP penetration is the technology used in the original Cyberphone, closely related to NAT or Proxy characteristics.
4.1 CP call Get port method
Since CyberPhone is currently unable to penetrate symmetrical, the following method is to penetrate the top three types.
The existing Cyberphone penetration method is mainly used with the servo of Cyberphone or the port of the user on NAT or Proxy. The specific implementation is as follows:
During the call setup, each user ends transmits data to the specified port of the server with its own reception and sending socket. After the server receives the data, write down these IP orders and ports. The user then obtains the external IP address and port of the other party from the directory server. Then use the IP address and port of the external map of the other side to send Socket to the other party to establish the channel to send Socket to its own channel between the other party. Finally, data is transmitted to the external IP address of the other party's receiving socket from the other party.
Through the above processing, CyberPhone can complete the communication between two regional networks, regional networks and wide area networks, wide area networks and wide area networks.
5 UDP forwarding
UDP forwarding is to solve the above-mentioned symmetrical NAT that cannot penetrate.
5.1 UDP forwarding process
Client B first sends an detection package Thru, Server record the address and port of B. Then, Client A to the server request B's external address (REQ), Server finds the address information of B based on the previous record and returns to A (RET: IP, Port), and the address is obtained after the address is encapsulated in the media data. This address requests server forward to B, thereby realizing the forwarding of media data.
6 TCP forwarding
TCP Forward is to solve the case where NAT or Proxy does not provide UDP ports.
If the company's security principle is stricter, all UDP ports are closed, which can only use TCP forwarding in this case.
7 HTTP tunnel forwarding
The HTTP tunnel forwarding is to solve NAT and proxy only provide web agents.
7.1 Introduction to the HTTP Tunnel
From now on, users, government agencies, schools and other users are increasingly attaching importance to the security of the Internet, and the firewall has become an indispensable safety equipment. Due to the application of the firewall, only the open minority and agreements are allowed, and most of the stages and agreements are to be closed to ensure that they are not subject to various intrusion, and there are often firewalls such as HTTP 80. The rest is basically closed. As a representative of network multimedia communication applications, the software video conferencing system will involve the transmission of many information such as audio, video, information, control, which usually use multiple Run and agreements to ensure instant communication efficiency, such as TCP, UDP, etc., and the firewall is contradictory, if it is not allowed to be opened in accordance with these products, this product cannot be put into use, and if you ask for To set up, the firewall will gradually become a thousand-hole sieves, lost the significance of filtration and protection.
The so-called HTTP tunnel can be seen as a way to use established HTTP communication lines and create a secondary protocol within it to perform special tasks. The firewall penetration strategy with HTTP tunnel technology is the core, which ensures that users can access the network, whether they are through what proxy server or firewall, as long as it is accessible to the network (which opens only one Internet port in the most stringent) can be implemented. 7.2 HTTP Tunnel Principle
On the client, the HTTP-TUNNEL Client side is http-tunnel client, allowing it to listen to any specified port of this machine, such as 1234, while pointing data from the 1234 port to the 80 port of the remote (firewall) Allow pass), then a HTTP-Tunnel Server end on Server, simply hooks on the 80 port, and direct the data from the client from the 80-port forward to the Telnet service port 23 of the unit, which establishes a basic tunnel Features. Now use telnet to connect to the local port 1234 on the client, which is forwarded to a server to the target port 80, because the firewall allows the data package to pass through the firewall through the 80-port data, and reaches the firewall. At this time, Server receives a packet from a client at the 80-port, restores the data package, and then pays it to the Telnet process. When the packet needs to return by Server to Client, it will be re-transferred by the 80 port, and the firewall can also be successfully passed.
Graphic:
The client sends a post command to Server, and Server returns OK, the HTTP tunnel establishes success. Thereafter, the data returned by Telnet is returned to the client through this HTTP tunnel.
Get a 1234 listening port, and use the telnet command to log in to the remote server.
80 ports and Telnet services
Only open the firewall of 80 ports
All data is taken out of 80
8 conclusions
The current penetration method of ECP has no two flies of the original CP, and the ECP will use the servo forwarding mechanism when two layers of penetration cannot communicate, so that the two layers will change to one layer. HTTP tunnel technology solves the problem with ECP, our goal is to use ECP normally as long as the internet can be used on the Internet.
The real network environment will not be as simple as what we imagine, so our existing penetration method needs further test verification.
