[Dr.WoW] [No.40] File Sharing Highlighted

Latest reply: Sep 25, 2015 08:44:13 2469 1 0 0

1 File Sharing Use Scenarios

In the introduction in the last section, we learned that a great difference between SSL VPNs and IPSec is that SSL VPNs can refine the granularity of a remote user's access onto a designated resource object, for example a file or a URL. In order to allow remote users to instantly understand their own access permissions, the virtual gateway provides an especially friendly and personalized platform: it combines files and URLs into "privately customized" resource lists to show to the remote user. This is as if the virtual gateway is a new-wave, fashionable restaurant that not only sells gourmet food but also sells customized services, allowing different menus to be customized for customers with different tastes.

This isn't its only special feature. As most enterprises, out of security considerations, don't want to make their internal network server's resource addresses (URL or file path) public, the SSL VPN therefore also provides a "resource address encryption" service that rewrites the resource's path, allowing the remote user to not only smoothly access internal network resources, but also making it very difficult to discover the internal network resource address. This is like calling a simple potato dish 'Spheres of Glory', or calling a hotdog 'the King's Scepter'―at first glance the name's meaning is unclear, and a great deal of time and effort is required before such a name can be deciphered. But I digress-let's begin with the first dish:

To put things simply, the SSL VPN's file sharing function allows remote users to securely access company internal file servers directly using a browser, and supports file operations such as creating new files, editing, uploading and downloads, etc. This is shown in Figure 1-1.

Figure 1-1 SSL VPN file sharing use scenario

[Dr.WoW] [No.40] File Sharing-1293711-1 

At the moment, file sharing protocols that are relatively popular in companies include SMB (Server Message Block) and NFS (Network File System). The former is primarily used in the Windows operating system, while the latter is primarily used in the Linux operating system. Huawei's firewalls' SSL VPNs are compatible with both of these protocols, so we don't need to worry about this. The following content will use the SMB protocol as an example, and will make use of the domain controller, a common authentication method, in introducing the file sharing interaction.

In Figure 1-2, it can be seen that the firewall serves as a proxy device, and that its communication with the client is always through the HTTPS (HTTP+SSL) protocol's encrypted transmission. After the encrypted packet reaches the firewall, the firewall decrypts it and conducts protocol conversion. Finally, the firewall serves as the SMB client and initiates a request to the corresponding SMB file sharing server, and this also contains the file server authentication process. Based upon the protocols used in communication, the aforesaid process can be summarized into two phases:

1.         HTTPS interaction between the remote client serving as the Web client and the firewall serving as the Web server.

2.         SMB interaction between the firewall serving as the SMB client and the file server (the SMB server)

Figure 1-2 SSL VPN file sharing process

[Dr.WoW] [No.40] File Sharing-1293711-2 

Below, we'll describe file sharing configuration methods in detail and the principles behind file sharing.

2 Configuring File Sharing

Before officially introducing the packet exchanges involved in file sharing, we will first assume that file sharing resources have already been configured on an SMB file server (here we'll use Windows Server 2008 as an example), and that permissions have been granted on the domain controller:

Resource access address: \\4.0.2.11\huawei

Configuration of user permissions: the admin has read/write permissions; the user only has the read permission.

The virtual gateway serves as the SSL VPN's entrance for all resources. Any resources that need to be accessed must appear in the SSL VPN configuration―this also embodies the SSL VPN's design approach that allows the granularity of access control to be refined. File sharing first requires turning on the file sharing function and creating new file sharing resources, with the goal being to provide a visible file sharing resources "menu" for the remote user, as shown in Figure 1-3.

Figure 1-3 Configuring file sharing

[Dr.WoW] [No.40] File Sharing-1293711-3 

3 Interaction Between the Remote User and the Firewall

After a successful login, the resources the virtual gateway makes available to the user will appear on this interface. Hovering the mouse over a resource allows for the resources' corresponding Web link to be seen in the browser status bar; this link includes the pages that need to be requested from the firewall and parameters that need to be delivered, as shown in Figure 1-4. We don't want to underestimate this URL, as it represents the remote user's requested file resource information and corresponding operational commands. Different directories and operations will each correspond with different URLs.

Figure 1-4 SSL VPN login interface―file sharing

[Dr.WoW] [No.40] File Sharing-1293711-4 

https://4.1.64.12/protocoltran/Login.html?VTID=0&UserID=4&SessionID=2141622535&ResourceType=1&ResourceID=4&PageSize=20&%22,1)

Q: Why can't the file resource \\4.0.2.11\huawei mentioned above be seen here?

A: Because the firewall has already hidden this. Using Resource ID is the only way to confirm the resource's address. The corresponding relationship between the Resource ID and the resource's address is stored in the firewall's brain (memory); this allows for the internal network server's real address to be hidden, protecting server security.

To further our ***ysis of this Web link, in addition to the obvious fact that 4.1.64.12 is the virtual gateway's address, I will break the remaining portions of the link's structure into three parts:

l   protocoltran is the special directory for file sharing. It is clear from its name that this is protocol+transform, indicating that this carries out conversion back and forth between the HTTPS protocol and the SMB/NFS protocols.

l   Login.html is the request page. Generally speaking, different operations will correspond with different request pages. I have organized all of the request pages and request results pages that may be used in Table 1-1.

Table 1-1 File sharing request pages and request results pages

Page Name

Meaning

login.html

loginresult.html

SMB file server authentication page

dirlist.html

Shows folder structure and detailed list of file sharing resources.

downloadresult.html

downloadfailed.html

Downloads files.

create.html

result.html

Creates folders.

deleteresult.html

result.html

Deletes files and folders.

rename.html

result.html

Renames files and folders.

upload.html

uploadresult.html

Uploads files.

 

l   ?VTID=0&UserID=4&SessionID=2141622535&ResourceType=1&ResourceID=4&PageSize=20&%22,1 are parameters transmitted to the request page. Here I will first give a detailed parameter table. In addition to the parameters covered by this URL, I've also included request parameters for other operations to aid everyone's understanding.

Table 1-2 Request page parameter details

Parameter

Meaning

VTID

The Virtual Gateway ID, used to distinguish between multiple virtual gateways on the same firewall.

UserID

The User ID, identifying the currently logged-in user. For security purposes, the ID is different for each login by the same user to prevent a man-in-the-middle-attack from creating fabricated data packets.

SessionID/RandomID

The session ID; all session IDs for the same login to the virtual gateway are the same.

ResourceID

The Resource ID, identifying each file sharing resource.

CurrentPath

The file path of the current operation.

MethodType

Types of operations:

1: Deleting folders

2: Deleting files

3: Displaying a directory

4: Renaming a directory

5: Renaming a file

6: Creating a new directory

7: Uploading a file

8: Downloading a file

ItemNumber

Number of operational objects.

ItemName1

Name(s) of operational object(s); this can contain multiple operational targets, for example deleting multiple files.

ItemType1

Type of operational object:

0: File

1: Folder

NewName

New name.

ResourceType

Resource type:

1: SMB resources

2: NFS resources

PageSize

Each page displays the number of resource items.

 

In order to allow everyone to gain an understanding of the entire panorama of file sharing functions, I will give a further, one-by-one explanation of some of the aforesaid operations and commands using specific file sharing functions as examples.

When accessing file sharing resources for the first time, the file server's authentication must first be passed.

The authentication stated here must be distinguished from the authentication that occurs when logging in to the SSL VPN. In the login stage, the first thing the remote user needs to pass is the firewall's authentication. This time we want to access file sharing resources, and of course need to check whether or not the file server agrees to this. When "Public share" in the resource list is clicked on, an authentication page will pop out, as shown in Figure 1-5.

Figure 1-5 File sharing login

[Dr.WoW] [No.40] File Sharing-1293711-5 

After passing authentication, the file resource page appears, as shown in Figure 1-6.

Figure 1-6 File sharing file operations

[Dr.WoW] [No.40] File Sharing-1293711-6 

We know the above access process can be divided into two stages (authentication and folder display), but is the real interaction process like this? A packet capture ***ysis of the interaction process is as below:

[Dr.WoW] [No.40] File Sharing-1293711-7 

That's right, it looks like my understanding was correct. Login.html/LoginResult.html are all authentication pages, and after the encrypted packet is decrypted, LoginResult.html also includes the user name and password awaiting authentication by the file server. In addition, Dirlist.html is the page that displays the folder structure.

3.         Verification of file downloading

The file download page and the corresponding URL are as shown in Figure 1-7.

Figure 1-7 Downloading files

[Dr.WoW] [No.40] File Sharing-1293711-8

[Dr.WoW] [No.40] File Sharing-1293711-9

 

The above table can be used to put the file download operation in words: the download (MethodType=8) is of a root directory's (CurrentPath=2F) file (ItemType1=0), named readme_11 (ItemName1=%r%e%a%d%m%e_%1%1). But it is important to note that there is a bit of URL decrypted content here. For example, decrypting CurrentPath's value ('2F') gives '/', which expresses the current resources' root directory.

4.         Folder rename authentication

The rename folder page is shown in Figure 1-8.

Figure 1-8 Renaming folders

[Dr.WoW] [No.40] File Sharing-1293711-10

[Dr.WoW] [No.40] File Sharing-1293711-11

[Dr.WoW] [No.40] File Sharing-1293711-12

 

 

As usera only has the read permission, a failure notice is given, but this doesn't stop us from continuing with ***yzing this: file (ItemType1=1) userb (ItemName1=%u%s%e%r%b) in the root directory (CurrentPath=2F) is being renamed usera (NewName=%u%s%e%r%a); the corresponding URL is shown in Figure 1-9.

Figure 1-9 URL corresponding to folder rename operation.

[Dr.WoW] [No.40] File Sharing-1293711-13 

Through the above introduction I trust that everyone now understands that the firewall's establishment of these links is first to hide the true internal network file resource path (\\4.0.2.11\huawei\), and secondly is done in the firewall's capacity as the SSL VPN gateway to create a bridge for remote user access: as the SMB Client, it initiates file access to the SMB Server (defining the file object and operation to be accessed.)

4 Interaction of the Firewall with the File Server

A packet capture from between the firewall and the file server is shown below.

[Dr.WoW] [No.40] File Sharing-1293711-145.         Firewall 4.0.2.1, serving as the client, initiates a negotiation request to file server 4.0.2.11. First to be negotiated is the SMB version (dialect). The firewall currently only supports the use of SMB1.0 (NT LM 0.12) in its role as the client in interacting with the server.

[Dr.WoW] [No.40] File Sharing-1293711-15 

6.         The server's response information contains the authentication method to be used next and a 16 digit challenge random number. A kind of secure authentication mechanism is used here: the NT challenge/response mechanism, known as NTLM.

[Dr.WoW] [No.40] File Sharing-1293711-16 

The authentication process is roughly as follows:

a.          The server generates a 16 digit random number and sends it to the firewall, to serve as a challenge random number.

b.         The firewall uses a HASH algorithm to generate the user password and HASH value, and encrypts the received challenge random number. It also uses a clear text transmission to return its own user name together with this to the server.

c.          The server sends the user name, challenge random number and the encrypted challenge random number returned from the firewall to the domain controller.

d.         The domain controller uses the user name to find the user password hash value in the password administration database; this is also used to encrypt the challenge random number. The domain controller compares the two encrypted challenge random numbers, and if they are the same then authentication is successful.

After authentication passes, the user can access the designated file or folder.

To summarize the above, we can see that the firewall's role in the file sharing function is actually that of a proxy that is an intermediary between the remote user and the SMB Server: in the HTTPS stage it serves as the Web Server in receiving the file access request from the remote user, and translates this into an SMB request; in the SMB stage, it serves as the SMB Client in initiating a request, receiving the response, and translating this to give to the remote user. With the file sharing function, the remote user access to the internal file server is just as convenient as its access of ordinary Web pages―it doesn't need to install a file sharing client, doesn't have to remember the server's IP address, and won't get lost among a multitude of servers.

 

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Sep 25, 2015 08:44:13 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login