10.11 Exploit SecureNAT for Remote Access into Firewall without Any Permission

Version from 19:13, 3 Mar 2013

...

As explained in section #3.7.1#, SecureNAT consists of the TCP/IP stack operated in user mode and Virtual NAT/Virtual DHCP Server. In particular, when IP access via Virtual NAT is performed the data is automatically relayed to the host using Socket API at the user level. This is a very advanced and intriguing technology.

...

As explained in section #10.4#, to set up a VPN to allow remote access to an existing LAN from a remote location you must first install VPN Server on the LAN you wish to connect to remotely. In addition, that VPN Server must be able to be seen from the Internet. Finally, use local bridging to connect the Virtual Hub to the physical LAN and your remote access VPN is complete. This type of configuration will allow you to connect to an existing LAN remotely, but you will need system administrator (or network administrator) rights to complete the set-up in the following two locations:

...

Your network environment must meet the following criteria to set up a remote access VPN using SecureNAT. Please refer to section #3.7# for more information about the SecureNAT functionality.

...

The computer you set up with VPN Server beforehand at the IP address 130.158.6.51 is the VPN Server computer. Create a Virtual Hub on this VPN Server (the default Virtual Hub "DEFAULT" will do) and create a user so that you can connect to that Virtual Hub later through VPN Bridge (assume you make the user "test" with password authentication for this example). Please refer to section #3# for more information about configuring VPN Server.

...

Assuming that you can only log on to 192.168.1.1 as a general user, you will have to run VPN Bridge in user mode. As shown below, run vpnbridge with the start option. Please refer to section #5.2.2# for more detailed configuration information.

...

Next you will configure VPN Bridge using VPN Server Manager or the command line management utility vpncmd. If there is a Windows machine elsewhere on the network but an explanation is not given on how to configure something with VPN Server Manager, you can perform the same methods as described for vpncmd on a UNIX machine. Please refer to section #6# for more information about vpncmd.

...

• [Setting Name]
  Designate some arbitrary name such as "Bridge".

• [Host Name]
  Input the IP address of the computer that you installed VPN Server on beforehand. (In this example, 130.158.6.51.)

• [Port Number]
  Input one of the listener ports of the computer that you installed VPN Server on beforehand. We recommend using port number 443 if you have to go through any firewalls or proxy servers.

• [Virtual Hub Name]
  Input the name of the Virtual Hub you created on the VPN Server beforehand.

• Proxy Server Related Items
  If you must go through a HTTP proxy server or SOCKS proxy server to access the Internet on the 192.168.1.0/24 network, you would enter all the information about that proxy server here. (See section #4.4.1#.)

• [Auth Type]
  Input the authentication method used for the user registered to the Virtual Hub (in this example, the user "test") on the computer that you installed VPN Server to beforehand. "Standard Password Authentication" should be sufficient under any normal circumstances.

• [User Name]
  Input the user name of the user registered to the Virtual Hub (in this example, the user "test") on the computer that you installed VPN server to beforehand.

• [Password]
  Input the password of the user registered to the Virtual Hub (the one you registered beforehand).

...

Now, click the new connection configuration you just created and click the [Online] button. If, after a few moments, the connection status changes to [Online (Connection Established)] then a connection has successfully been made to the Virtual Hub on the VPN Server you set up on the Internet. If an error message is displayed look up the details of the error and solve the problem. (See section #12.5#.)

...

• SecureNAT utilizes many complicated techniques such as user mode TCP/IP stacks, but all processes required by SecureNAT can be executed in user mode. Therefore, in a network such as the example network given here where VPN Bridge is running under general user privileges, only processes that can be executed under that user's privileges can be performed, even if a buffer overflow or other such error occurs in VPN Bridge's or SecureNAT's program code. This means that, compared to a setup which requires VPN Bridge to be run under system privileges, one that runs under general user privileges has increased overall system integrity.
• Of course, even when setting up a remote access VPN such as the one in this example that uses a combination of VPN Bridge with SecureNAT and VPN Server, all data under the SoftEther VPN protocol is encrypted via SSL by default. Even if you are sending data over the Internet, you will not have to worry about any third parties stealing or modifying the data you are transferring. You can also use server certificate authentication when making a cascade connection to the VPN Server (see section #3.4.12# for more details) to increase the security of your VPN even further.
• This example shows how to set up a remote access VPN without having to change any of the firewall or NAT settings on the remote network. Generally, making modifications to a firewall or NAT to allow traffic to pass through certain ports can not only be a costly procedure, but can introduce new security risks to your network as well. Therefore, this method is not recommended unless you have absolutely no other choice. If you have a similar situation where you have received permission from the network or system administrator to set up a remote access VPN, but there is concern over the cost, security risks, or firewall/NAT configuration, the method given in this example of using SecureNAT and VPN Bridge together offers a simple, cost effective solution for your remote access needs.
• All traffic that passes through SecureNAT is accurately logged in the security log file of the Virtual Hub on the VPN Bridge (or VPN Server) running SecureNAT.

...

Version as of 18:06, 4 Mar 2013

...

As explained in section 3.7 Virtual NAT & Virtual DHCP Servers, SecureNAT consists of the TCP/IP stack operated in user mode and Virtual NAT/Virtual DHCP Server. In particular, when IP access via Virtual NAT is performed the data is automatically relayed to the host using Socket API at the user level. This is a very advanced and intriguing technology.

...

As explained in section 10.4Build a Generic Remote Access VPN, to set up a VPN to allow remote access to an existing LAN from a remote location you must first install VPN Server on the LAN you wish to connect to remotely. In addition, that VPN Server must be able to be seen from the Internet. Finally, use local bridging to connect the Virtual Hub to the physical LAN and your remote access VPN is complete. This type of configuration will allow you to connect to an existing LAN remotely, but you will need system administrator (or network administrator) rights to complete the set-up in the following two locations:

...

Your network environment must meet the following criteria to set up a remote access VPN using SecureNAT. Please refer to section 3.7Virtual NAT & Virtual DHCP Servers for more information about the SecureNAT functionality.

...

The computer you set up with VPN Server beforehand at the IP address 130.158.6.51 is the VPN Server computer. Create a Virtual Hub on this VPN Server (the default Virtual Hub "DEFAULT" will do) and create a user so that you can connect to that Virtual Hub later through VPN Bridge (assume you make the user "test" with password authentication for this example). Please refer to section 3. SoftEther VPN Server Manual for more information about configuring VPN Server.

...

Assuming that you can only log on to 192.168.1.1 as a general user, you will have to run VPN Bridge in user mode. As shown below, run vpnbridge with the start option. Please refer to section 5.2 Operating Modes for more detailed configuration information.

...

Next you will configure VPN Bridge using VPN Server Manager or the command line management utility vpncmd. If there is a Windows machine elsewhere on the network but an explanation is not given on how to configure something with VPN Server Manager, you can perform the same methods as described for vpncmd on a UNIX machine. Please refer to section 6. Command Line Management Utility Manual for more information about vpncmd.

...

• [Setting Name]
  Designate some arbitrary name such as "Bridge".

• [Host Name]
  Input the IP address of the computer that you installed VPN Server on beforehand. (In this example, 130.158.6.51.)

• [Port Number]
  Input one of the listener ports of the computer that you installed VPN Server on beforehand. We recommend using port number 443 if you have to go through any firewalls or proxy servers.

• [Virtual Hub Name]
  Input the name of the Virtual Hub you created on the VPN Server beforehand.

• Proxy Server Related Items
  If you must go through a HTTP proxy server or SOCKS proxy server to access the Internet on the 192.168.1.0/24 network, you would enter all the information about that proxy server here. (See section 4.4 Making Connection to VPN Server.)

• [Auth Type]
  Input the authentication method used for the user registered to the Virtual Hub (in this example, the user "test") on the computer that you installed VPN Server to beforehand. "Standard Password Authentication" should be sufficient under any normal circumstances.

• [User Name]
  Input the user name of the user registered to the Virtual Hub (in this example, the user "test") on the computer that you installed VPN server to beforehand.

• [Password]
  Input the password of the user registered to the Virtual Hub (the one you registered beforehand).

...

• SecureNAT utilizes many complicated techniques such as user mode TCP/IP stacks, but all processes required by SecureNAT can be executed in user mode. Therefore, in a network such as the example network given here where VPN Bridge is running under general user privileges, only processes that can be executed under that user's privileges can be performed, even if a buffer overflow or other such error occurs in VPN Bridge's or SecureNAT's program code. This means that, compared to a setup which requires VPN Bridge to be run under system privileges, one that runs under general user privileges has increased overall system integrity.
• Of course, even when setting up a remote access VPN such as the one in this example that uses a combination of VPN Bridge with SecureNAT and VPN Server, all data under the SoftEther VPN protocol is encrypted via SSL by default. Even if you are sending data over the Internet, you will not have to worry about any third parties stealing or modifying the data you are transferring. You can also use server certificate authentication when making a cascade connection to the VPN Server (see section 3.4 Virtual Hub Functions for more details) to increase the security of your VPN even further.
• This example shows how to set up a remote access VPN without having to change any of the firewall or NAT settings on the remote network. Generally, making modifications to a firewall or NAT to allow traffic to pass through certain ports can not only be a costly procedure, but can introduce new security risks to your network as well. Therefore, this method is not recommended unless you have absolutely no other choice. If you have a similar situation where you have received permission from the network or system administrator to set up a remote access VPN, but there is concern over the cost, security risks, or firewall/NAT configuration, the method given in this example of using SecureNAT and VPN Bridge together offers a simple, cost effective solution for your remote access needs.
• All traffic that passes through SecureNAT is accurately logged in the security log file of the Virtual Hub on the VPN Bridge (or VPN Server) running SecureNAT.

...