Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 365 Implementation5.1 IntroductionDevelopment of networking application is closely bond to the programming languagechosen to implement the product. After a quick research of the tools available on themarket, a decision was made to use Microsoft .NET and C#. This platform, designedby Microsoft, speeds up development by freeing the programmer from low-levelissues (memory management and etc.) and provides standards Windows controls thatcan be used in .NET applications. Microsoft .NET becomes more and more popular innetworking professionals’ community.5.2 Testing NetworkThe test network was implemented in a way to reassemble a basic scenario ofinstitutional intranet. Thus, a Cisco router is employed as a border gateway. Thisrouter provides network address translation (NAT), dynamic host allocation (DHCP)and state-full firewall services to the intranet. Consequently host machines and serversconnect to a Cisco Catalyst 2950 switch attached to the intranet port of the router(Fa0/1). The router’s other FastEthernet interface (Fa0/0), is connected to InternetService Provider (ISP). Since the design phase proposed experiments requiring codemobility testing, the test network is not homogenous. Thus, variety of hosts runningdifferent Windows based operating systems is connected to the test network (Figure5-1).Host 1Windows XPProfessional SP 2Host 2Windows 2000 ServerService Pack 3Fa0/1Fa0/0ISPHost 3Windows XPStarter Edition SP 2Host 4Windows XPHome Edition SP 2CiscoCatalystSwitchCiscoRouterFigure 5-1 Test Network TopologyTo provide for the requirements of experiments based on comparison of HTTPresponses to modified and unmodified requests, Host 3 is connected to the Ciscoswitch via two identical links. Thus, two separate Proxy servers can run on thismachine at the same time, each with its own listening interface (more details willfollow with experiments implementation description). The specification of the testnetwork components can be found in Table 5-1.
Z. Kwecka, BSc (Hons) Network Computing, 2006 37Name SpecificationHost 1 OS: Windows XP Professional SP 2IP Address/Mask: 192.168.1.2/24CPU: AMD Athlon XP 1800RAM: 480MBHost 2 OS: Windows 2000 Server SP 3IP Address/Mask: 192.168.1.20/24CPU: Intel Pentium IIRAM: 256MBHost 3 OS: Windows XP Starter Edition SP 2IP Address/Mask: 192.168.1.7/24192.168.1.8/24CPU: Intel Pentium MMXRAM: 64MBHost 4 OS: Windows XP Home Edition SP 2IP Address/Mask: 192.168.1.3/24CPU: AMD Athlon XP 2800RAM: 768MBTable 5-1 Component Specification5.3 Foundation SoftwareIn the design section we have identified that the software required for this project(prototype and experiments) falls into three categories:- HTTP Analysers,- HTTP Proxies,- HTTP Traffic Generators.Thus, this implementation began with producing of foundation software, baseapplications easily adaptable to particular tasks, in order to speed up the development.5.3.1 HTTP AnalysersThe Sniffer Detection Agent of the prototype is the major piece of software, whichfalls into this category together with application, required for the experiments, such asHTTP Dumper and OffLine HTTP Analyser. They all have one thing in common, asthey must understand raw network traffic, since they may be required to performpromiscuous mode network traffic monitoring or production of traffic dumps.Promiscuous mode operations on the various kinds of networking adapters, can beperformed using standard functions of Unix based operating systems, however inMicrosoft Windows environment this functionality is not provided by default. BasicWindows functionality allows for accessing the network only via genuine protocolstack. Therefore, Windows Packet Capture Library (WinPcap) currently treated asindustry standard in low-level operations on networking adapters was used duringHTTP Analysers base implementation. This gave us capability to (WinPcap Team,2005):- capture raw packets, both the ones destined to the machine where it's runningand the ones exchanged by other hosts (on shared media)- filter the packets according to user-specified rules before dispatching them tothe application- produce traffic dumps in libpcap format
Page 1 and 2: Application Layer Covert ChannelAna
Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
Page 11: Z. Kwecka, BSc (Hons) Network Compu
Page 87 and 88:
Z. Kwecka, BSc (Hons) Network Compu
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?