Use Secure Shell (SSH) to establish safe, encrypted internet connections through a firewall. With this method, you don’t have to open additional ports through your firewall in order to access external email accounts, access usenet newsgroup servers, and multimedia streams, which leaves your internal network more secure. This means you don’t have to worry about accidentally surfing to a restricted site (which raises red flags in most corporate environments), and can access sites that have been mistakenly blocked by over-zealous monitoring software. Traffic cannot be analyzed for content by sniffers or packet inspection software because of the encryption.
Access to a Server
You will need access to a server running Secure Shell on the other side of the firewall. If you are connecting from inside your company’s firewall, you could run OpenSSH (an open source SSH server) from your home computer or that of a friend. Installing and configuring an SSH server is beyond the scope of this article, but good documentation exists for OpenSSH on its home site. Just make sure that you open a port through any router or personal firewall for SSH traffic. The default is port 22, but you can use any available TCP/IP port. Alternatively, there are some sites that will give you a free shell account on their server running SSH. SilenceIsDefeat.org will give you one for $1.00 if you use paypal (and signing up is then instant), or the cost of a $0.39 stamp if you register through the mail. Finally, if you pay for a commercial web host, many of them allow SSH connections to their servers.
Connection Settings
You also need to know a little about how you connect to the internet from within the firewall. Most companies allow web traffic through a proxy server so they can monitor the content employees are viewing, and can restrict access to sites with objectionable content. You can examine the internet connection settings for your browser. If you are set for “Direct Connection to the Internet” (Firefox), or no proxy or configuration script is set up (IE), then you probably have unfettered (but not necessarily unmonitored) access to the internet, and would only need to use SSH for privacy. You can skip down to SSH Client. If proxy access is set up in a straightforward configuration, then the proxy settings will be displayed right there. Make a note of the address and port of any HTTP or Socks proxies defined. Some companies use an Automatic Proxy Configuration Script, which makes retrieving the proxy settings a little more difficult. If you’ve already noted your proxy settings, you can skip down to SSH Client. Otherwise, here’s some help retrieving your proxy settings from an automatic script. Copy the following lines into a new blank text file and store it on your hard drive:
<HTML>
<HEAD>
<TITLE>Download a file instead of rendering it</TITLE>
<BODY>
<A xhref=”http://URL.OF.SCRIPT” mce_href=”http://URL.OF.SCRIPT” >Right-Click here and select Save As</A>
</BODY>
</HTML>
Edit this file and replace URL.OF.SCRIPT with the address of the automatic configuration script as defined in your connection settings. Save the file as dl.html. . In your browser, use File->Open to open this file. You should see a single link saying to “Right-Click here and Select Save.” Right click on the link select “save link as” or “save target as” (depending on your browser), and save the file locally. You now have a copy of the Automatic Configuration Script which you can peruse in any editor, looking for proxy information. Often a company will use a number of different proxies for different purposes – you’re mainly looking for Socks and HTTP proxies. Note the address and port of any you find. If you think you’ve found an HTTP proxy, you can test it by changing your connection settings and telling your browser to use that server and port explicitly instead of using the Automatic Configuration Script, and connecting to the internet. Just remember to restore the settings afterward.
SSH Client
The last piece you need is a Secure Shell client. This is just a program that opens and manages an encrypted connection to a server. Normally, you would use this combination to log on to, administer, and exchange data between a remote computer (the server) and your local computer (the client). We’re going to be using a more advanced feature of SSH known as “port forwarding”, which lets you direct other network traffic through such a connection. A good choice for Windows users is PuTTY, which can be downloaded freely from the Download Site. Macs and linux users will almost certainly have a good SSH client installed. I’ll be using PuTTY in the examples in the remainder of this tutorial, but the principles will be the same in any SSH client.
PuTTY Configuration
The PuTTY documentation does a good job covering configuration, so I’m just going to focus on the essentials for port forwarding. Basically, you enter the IP address or DNS name of the host to which you’ll be connecting, the port it uses, and a descriptive name in the ‘Saved Sessions’ field. If your browser uses a proxy server to access the internet, then you will configure PuTTY to use the same one(s). In PuTTY’s ‘Category’ tree (left portion of window), click the ‘+’ sign next to ‘Connection’ and click on ‘Proxy.’ If the browser had a Socks proxy configured, select that type in PuTTY. If not, but it had an HTTP proxy configured, then select that type. Enter the Proxy hostname and port that you previously noted. When this is done (or if you didn’t have to add proxy configuration), click back up on the ‘Session’ category and click the [Save] button. Then click the [Open] button. If everything is correct, you should get a new window with a login prompt from the remote system. You’re ready for the last step – actually forwarding a port or two.
There are two methods of forwarding ports through an SSH connection. “Dynamic” forwarding is easier to configure and more flexbile, but can only be used by applications that support a Socks proxy. This includes most modern web browsers, so we’ll start with setting up secure, encrypted web browsing. If you actually logged in, type ‘exit’ and press the key. Otherwise, just close the window. Bring up Putty again, select the ‘Saved Session’ you stored earlier and click the [Load] button. In the ‘Category’ tree, expand ‘Connection’, ‘SSH’, and select ‘Tunnels.’ In the ‘Source port’ field, enter 8081. This can actually be any number higher than 1024, I’m just using 8081 as an example. Select the ‘Dynamic’ radio button, then click the [Add] button. ‘D8081′ will appear in the ‘Forwarded ports’ field. Under Categories, select ‘Session’ (you may have to scroll up to see it), and click the [Save] button again. Click [Open] and log in to the remote server. In your browser, you’ll need to change your proxy settings. Make sure to write down the current settings, so you can restore them later. You are going to set the browser to use a Socks proxy (which dynamic forwarding creates for you). In IE under Lan connection settings you have to select the [Advanced] button to see the proxy configuration fields. In Firefox, they’re visible in the Network ‘Settings’ panel. Add the word localhost as the proxy host or proxy server address, and 8081 as the port. Click [OK] until you are out of the configuration screens. If you can now browse the web, then congratulations, you’re doing so in a secure, encrypted tunnel. Nobody can see what sites you visit unless they watch over your shoulder. Note: examination of your computer’s cache, log files, history, and other forensic evidence will still yield information on your surfing habits. A secure tunnel only protects the data in transit.
The second method of forwarding ports involves forwarding each port used by your network application from your local PC to the actual server running the network service you wish to access. You then configure the application to use your local machine as the server. For example, to connect to your external pop3 mail server, in PuTTY you would go back to the ‘Tunnels’ configuration screen. Add 1110 as the Source port, select the ‘Local’ radio button, enter your mail server’s address followed by ‘:110′ in the ‘Destination’ field, and click [Add]. You should see something like L1110 your.mail.server:110 appear in the ‘Forwarded Ports’ field. Once again, return to the ‘Sessions’ screen and click [Save]. Fail to do this after any changes, and you’ll lose them. Now, open your mail client. Wherever you would normally enter your pop3 server address and the port it uses, enter ‘localhost’ and 1110. In Outlook Express for example, you will find these settings in the ‘Servers’ tab and the ‘Advanced’ tab in the Account Properties screen. Once you’ve made these changes, you should be able to connect to the SSH server using your saved session in PuTTY, then retrieve and read your mail in your mail client software. Sending mail uses a different port (25),and often a different server name, so you’ll have to forward another port in a similar manner if you want to be able to send mail as well.
Pretty much any network service that uses a defined port or set of ports can be configured to work through an SSH tunnel in this manner. This includes services that your company may ordinarily block, like Instant Messaging services, Usenet Newsgroup access, streaming music sites, etc. Note that anyone with access to network sniffers or inspection software, be they crackers, hackers, or network admins, will still be able to see network traffic between your computer and the remote SSH server, they just won’t be able to tell what it is or where it goes beyond that point.
Every Monday night they play euchre. For money. For those of you unfamiliar with euchre, its a fast card game played with partners. Okay, it only cost a quarter to play, and you don’t stand to win much, but the game is fun and the players compete as if there were hundreds of dollars at stake. I won fifty cents.
