Wednesday, November 10, 2010

SSH forward and dynamic tunneling

SSH stands for Secure Shell and was designed to replace telnet since it provides remote control of a machine but with robust security. Linux users would have heard about this but if do not know how to run and use its features to the fullest then hop on.

SSH has evolved to incorporate features such as forward port tunneling, reverse port tunneling and dynamic port tunneling. This article will cover the basic setup and installation of SSH servers on Windows and Linux based Ubuntu. Steps will almost be the same on other distros.

Please note that port forwarding was originally introduced to allow incoming packets in a NAT environment but similar features were implemented in SSH and therefore the name SSH port forwarding.

SSH Forward Port forwarding

It can be visualized as an outbound tunnel where data is forwarded from the client 'towards' the server.

There are a few things to note:
1. First an SSH connection is set up therefore you need an SSH client and server running properly.
2. Once the forward tunnel has been set up , the data will pass through the tunnel and the receiving end will direct all the data to the mentioned port number.

Setting up port forwarding (WIndows)

Download FreeSSHD from the link posted below. This is a free software which runs SSH and telnet server. After installation you will be asked to generate a set of keys. Create them as they will be used to ensure integrity of the remote user.Now add a user account and assign a password. This account name will be used to login remotely.

If the SSH server is behind a NAT connection , eg home ADSL connection then you will need to allow incoming connections to port 22. Refer to this link if you want to have a brief idea on how to implement the aforementioned scheme (confusingly know as NAT port forwarding).

Try to establish a normal connection using putty, available in Windows and Linux.

Such a tunneling can be very useful if you want to access a remote service securely. Eg consider a scenario in which you need to access a remote web server securely. Then all you need to do is set up a forward ssh tunnel with the remote machine and entering the following configuration:

So when any data is sent to port number  it will be redirected through the ssh tunnel where the remote end will redirect the traffic to the destination address.
The above configuration will cause it to redirect all the traffic from local pc's port number 8080 to the remote machine through the ssh tunnel where the remote end will redirect the traffic to localhost , which means itself,  port 80. Clearly if the remote machine is running a web server all its content will pass through the ssh tunnel in encrypted, thus secure way.

Thus Forward tunnels have a very special use and can be used to bypass any firewalls or content filtering services and access remote machines with ease. The above schematic shows data transferred from local host to the remote server. Note how the data is internally directed from port 8181 to port 80.

More on Reverse Port tunneling and dynamic port tunneling in some later post.

Ubuntu users can install openssh server using the following command:
sudo apt-get install openssh-server(config files are stored in  /etc/ssh/sshd_config)
also a linux version of putty is available and can be obtained using synaptic package manager.

Some important commands:

Start OpenSSH Server:
sudo /etc/init.d/ssh start

Stop openssh server:
sudo /etc/init.d/ssh stop

Restart the server:
sudo /etc/init.d/ssh restart

Other Useful Links:

1. FreeSSHD homepage
2. Learn NAT Port Forwarding 
3.Wiki on SSH
4.More info

Monday, November 8, 2010

Cisco Packet Tracer

Cisco has developed a superb tool known as Cisco Packet tracer and is essential for anyone preparing for CCNA or higher exams. Since it is very difficult to realize complex network topologies with different devices and interconnections with actual hardware, Cisco developed this product to simulate such topologies and added features which makes debugging easier to understand and implement in real world situations. Therefore one can simulate real life network topologies on their PCs without needing to physically set up devices.

Modes in Cisco Packet tracer

Packet tracer has 2 modes - realtime and simulation.

In realtime mode devices run as they are expected to in normal operation. Simulation mode allows user to filter certain packet, change packet transfer speed to isolate certain packets for better analysis and understanding of the network topology and the path taken by a particular packet.

On the bottom left hand pane there is a list of devices such as routers,switches and WAN cloud which on clicking will display a list of models Cisco has manufactured. The most common router model used in CCNA is 2811 and for switches 2960 is used.

Dragging and dropping a device in the main window will boot it up and make it ready for configuration. Double clicking it will open a new window which will list the hardware specifications which can be modified according to your needs (like adding new modules such as ethernet ports) . There is a config mode and a CLI mode.

Config mode is useful for quick configuration of the device whereas CLI mode simulates a console session. Cisco devices can be configured using a console cable and such a session is called a console session. Obviously CLI mode allows user to fully explore a device's features, unlike the config mode.

The simulation mode is a wonderful feature and behaves like wireshark in some ways, for example it allows you to watch the details of a particular packet. Additionally, you can adjust the speed of the packet transfer for debugging and better understanding.

For example, in the above topology suppose I want to know what type of messages and path is taken when HostA pings router1. All I need to do is start the simulation mode and ping the destination. Clicking on the autocapture button will show a graphical "journey" of the packet. You can also click on a packet any time to view the headers and other details.