Application Security Testing: An Integral Part of DevOps
Environment: ANSI C++
It's a Free Lunch. 100% unpatented, open-source freeware:
FiveLoaves is an Internet utility designed to meet the most common needs of Internet users, primarily secure connectivity. The simple case of User-to-User over the Internet as well as the more complex Employee-to-Employer, and even the most complex, namely Business-to-Business, are all supported.
Networking is Networking. A home computer and an office computer require the same software solution to achieve connectivity. The main difference arises in the placement of firewalls, and routing across multiple internal corporate networks; these issues often arise when connecting Employee-to-Employer, and nearly always arise when connecting Business-to-Business.
FiveLoaves' primary purpose is secure connectivity. In the cases of Employee-to-Employer and Business-to-Business, this often means a Windows-to-Unix, or Unix-to-Windows, connection, or often in the case of Business-to-Business, Windows-to-Unix-to-Windows. With this functionality implemented as the foundation of the application, five of the most basic needs of Internet users have been implemented into an open-source architecture that can be easily extended to provide additional future services. Here is an example of a software abstraction framework.
- The ability to transfer files from one machine to another, like FTP, but securely, (did you know FTP is not secure?). FTP just tosses everything on the same machine (a server) and cannot reach any internal machine (a peer); therefore, FTP is Client-Server. This utility is Peer-to-Peer. Either end can initiate the connection so firewalls can be safely bypassed.
- The ability to control a mouse and keyboard from a remote location (like PCAnywhere), but with the framework-supplied connection routing, encryption, and compression enabled. This service is based on a public software project called VNC, managed by AT&T. I modified their protocol handshake, and statically linked their DLLs into this single 356 Kb (on Win32) executable. Although VNC does work in Linux and Unix, I did not get them linked into version 1.0; they're coming, with multi-port display support.
- Tunneling TCP data (like SSH or http://www.http-tunnel.com/), but the tunnel can bounce across ANY number of points, AND gives the user full control over the entire connection route network and hardware.
- Circuit-level TCP Proxy (like Microsoft Proxy Server or Delegate), but with load balancing, fail-over, and firewall-elusive technology. Plus, it gives better performance and much higher connection limits than Delegate.
5Loaves is a network of tunnels. The simplest connection route is between two points. The first point is the user's own machine. This is the "tunnel entry point." From there, a connection may bounce directly to the destination or to a machine that can reach the destination or to a machine that can be reached by the destination.
For example, if you used the Remote Workstation Controller or File Transfer applications to connect to a machine called www.MyCompanysInternetServer.com, then the information travels between the application and the tunnel entry point in the clear (the entry point is on the same machine as the application). Once the data is ready to leave your workstation, it is encrypted and sent to the first and only destination -- a machine called www.MyCompanysInternetServer.com. On that machine, the data is decrypted and forwarded to the correct application.
Consider this connection route: www.MyCompanysInternetServer.com|MyOfficePCAddress
This time, the data enters the tunnel on your machine (at home or elsewhere) and is encrypted with the secret key of a machine called MyOfficePCAddress. The data travels to the first machine called www.MyCompanysInternetServer.com. www.MyCompanysInternetServer.com couldn't see the data if it wanted to because it's encrypted with a key that it does not know. There is a small delivery header that it can read. That header instructs www.MyCompanysInternetServer.com to proxy this connection to another machine called MyOfficePCAddress. Because that machine is the last in the connection route, the data is decrypted and forwarded to the correct port on that machine.
This type of connection route has no limits. For example:
This causes the connection to be bounced from MyOfficePCAddress to a machine even deeper in the network, called InternalSubNetMachine.
This all assumes your network admin is a wise and reasonable person who truly understands that properly used encryption is safe. Some network administrators won't want people to have that kind of remote access, so they will refuse to install 5Loaves on www.MyCompanysInternetServer.com.
Department managers are often wiser than the network administrators. They can outsource an Internet server for as little as $200/month, or use their own broadband machine at home to run 5Loaves with the SwitchBoardServer option enabled. Suppose that machine has no public DNS, so rather than a name, it just has a number like 188.8.131.52.
Now if you can't go through the firewall, just go around it.
You set MyOfficePCAddress to poll for a connection named MYOfficePCConnectionName on 184.108.40.206.
Now you can use a connection route like this from home:
This causes the client application (Remote Workstation Controller or File Transfer or other) to enter a tunnel on your own machine, encrypt with the data with the password for MyOfficePCAddress, but send the data to 220.127.116.11. Now the connection will sit there until some machine comes to pick up a connection named MYOfficePCConnectionName. Then the connection will be bounced to that machine, which must know the secret key to decrypt the data.
If you have a very secure office network, you might have some machines that are not on the Internet. You can access those machines, too. Suppose MyOfficePCAddress can reach a machine called InternalSubNetMachine, but that machine cannot route to the Internet. Run 5Loaves on both machines and from home connect like this:
This goes around the firewall to your office PC, and then bounces down into the secure corporate subnet -- securely.
If you are the network admin, the office users will be grateful.
If you're not the network admin, don't tell your network admin; he'll never know you're doing it.
---------------------- Extra Credit Points -------------------------
100% pure ANSI C++ -- very portable
It compiles into a 472 Kb Binary in Solaris using Forte 7.
It compiles into a 427 Kb Binary in Red Hat Linux 7.1 using gcc.
5Loaves is only 356 Kb (Win32 uncompressed) -- well suited for embedded/handheld systems.
It runs as a service in Windows. (type 5LoavesSvc.exe -install) or (5LoavesSvc.exe -remove).
It loads NO (non-kernel) SOs or DLLs. (Reduce failure points + more secure + easy upgrades.)
---------------------- Disclaimer -------------------------
This is "just out of the oven" (as of April 30, 2002) and keep in mind it's only version 1.0.
I'm gathering the TODO list for version 2. Feel free to contribute:
---------------------- Credits ----------------------------
The master copy of this document may be found at: www.UnitedBusinessTechnologies.com/FiveLoaves.html