Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
M. Fernandez | MITRE
Presentation for
Approved for public release. Distribution unlimited. Case number 16-3302. © 2016 The MITRE Corporation. All rights reserved.
|2|
Problem Statement
Ø Countermeasure
o Best practice... SSL/TLS-interception security device
o Or perhaps... Web proxy w/content inspection?
Bro ICAP Analyzer
© 2016 The MITRE Corporation. All rights reserved.
|3|
Outline
Ø ICAP
o Background
o Basic Operation
o Web Proxies, Content Inspection & ICAP
o References
ICAP Operation
Web Server
❹
❸
Web Proxy DLP Proxy
(aka, ICAP Client) (aka, ICAP Server)
❻ ❷
❶
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❹
❸
Web Proxy DLP Proxy
(aka, ICAP Client) (aka, ICAP Server)
❻ ❷
❶
Legend
HTTP HTTP/HTTPS Traffic
req msg Web Client
ICAP Traffic
Web Server
❹
❸
Web Proxy DLP Proxy
(aka, ICAP Client) ICAP Payload (aka, ICAP Server)
❻ http req
❷ hdr ü
http req bdy ü
❶
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❺
ICAP Resp Msg
❹ 204 “No modifi-
❸
cations needed”
Web Proxy DLP Proxy
(aka, ICAP Client) (aka, ICAP Server)
❻ ❷
❶
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❹
❸
Web Proxy DLP Proxy
(aka, ICAP Client) ICAP Payload (aka, ICAP Server)
❻ http req
❷ hdr ü
http req bdy
W
❶
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❺
ICAP Payload
❹
http req hdr
❸
modified bdy
Web Proxy DLP Proxy
(aka, ICAP Client) (aka, ICAP Server)
❻ ❷
❶
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❸
❹
Web Proxy AV Proxy
(aka, ICAP Client) (aka, ICAP Server)
❶ ❺
❻
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
❸
❹
Web Proxy AV Proxy
(aka, ICAP Client) (aka, ICAP Server)
❶ ❺
❻
HTTP
Legend
req msg
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❷ ICAP Payload
❸
http req hdr
ü
http rsp hdr
❹
ü
Web Proxy
http rsp bdy üAV Proxy
(aka, ICAP Client) (aka, ICAP Server)
❶ ❺
❻
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❸
❹
Web Proxy AV Proxy
(aka, ICAP Client) (aka, ICAP Server)
ICAP Resp Msg
204 “No modifi-
❶ ❺
cations needed”
❻
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❸
❹
Web Proxy AV Proxy
(aka, ICAP Client) HTTP (aka, ICAP Server)
rsp msg
❶ ❺
❻
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❷ ICAP Payload
❸
http req hdr
ü
http rsp hdr
❹
ü
Web Proxy
http rsp bdy
WAV Proxy
(aka, ICAP Client) (aka, ICAP Server)
❶ ❺
❻
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❸
❹
Web Proxy AV Proxy
ICAP Payload
(aka, ICAP Client) (aka, ICAP Server)
http req hdr
❶ ❺
http rsp hdr
modified bdy
❻
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
❸
❹
Web Proxy AV Proxy
(aka, ICAP Client) HTTP (aka, ICAP Server)
rsp msg
❶ ❺
❻
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
Web Server
Legend
HTTP/HTTPS Traffic
Web Client
ICAP Traffic
ICAP References
Ø Objectives
o Monitor link between web proxy and AV/DLP proxy
v IPs & Ports, Connection IDs
Ø ICAP Methods
o REQMOD
o RESPMOD
o OPTIONS
o LOG * * LOG defined in [2] ICAP Extensions
’Allow: 206’
’Allow: NNN’, where NNN can be
any token
Headers defined in [3] ICAP Partial Content Extension
Ø Platform
o Linux CentOS 6.7 Server
o 8-core CPU
o Two 1-Gbps NIC
Ø Bro
o Version 2.4.1
o Local Cluster
v 1 Manager, 1 Proxy
v 6 Workers [pin_cpus=2,3,4,5,6,7]
o PF_RING
© 2016 The MITRE Corporation. All rights reserved.
| 30 |
Ø BinPAC
o Version 0.44
q https://www.bro.org/downloads/binpac-0.44.tar.gz
o BinPAC QuickStart Guide
q https://github.com/grigorescu/binpac_quickstart/archive/master.zip
icap-protocol.pac
ICAP_Request { ICAP_Response { ICAP_Message {
ICAP_Request_Line ICAP_Response_Line ICAP_Headers
ICAP_Message ICAP_Message ICAP_Body
} } }
icap-analyzer-utils.pac
get_icap_body_type_from_encap_hdr() Event Generation: icap_body_weird
HTTP Injection: none
ICAP.h
#include "analyzer/protocol/http/HTTP.h"
Ø Operational Testing
o Biased toward RESPMOD transactions
o REQMOD not yet observed/tested
o OPTIONS & Preview headers ignored
Ø REQMOD vs RESPMOD
o REQMOD yields HTTP request body
o RESPMOD yields HTTP response body
o Need both for full visibility
Summary
Future Work
Ø REQMOD Testing
Questions?
Approved for public release. Distribution unlimited. Case number 16-3302. © 2016 The MITRE Corporation. All rights reserved.
| 44 |
Back-Up Slides
Approved for public release. Distribution unlimited. Case number 16-3302. © 2016 The MITRE Corporation. All rights reserved.