Through the Looking-Glass
Recently, I've been crafting an application architecture that will eventually be deployed into a physically isolated network. The server, clients, and any required external services will live solely on this network with no capability to reach the public internet.
In order to accurately test the application server, we quickly realized we needed a way to use a browser on a client machine on that isolated network. The original reference architecture lives in an emulated cloud environment on a public AWS VPC. This emulator applies special rules, security groups, and routing tables that restricts these public cloud resources to operate as if they were actually the isolated production operating environment. Our only point of ingress into this network is a single internet-routable SSH gateway server.
So, how do I test my infrastructure?
My original thoughts were around how to get into the private network. My first attempt was to simply port forward through the SSH gateway into the client instance. This was close to what was required, but violates the airgap by allowing client-side requests to be made from the browser on my local computer. Strike one.
The next potential candidate: a Windows instance and use RDP to access that desktop environment. I've done this many times in my professional career. It's really useful if you need to borrow a lot of physical resources for a short period of time. I fired up a Windows EC2 instance and immediately ran into issues. RDP still had no route outside of the private subnet without going through an RDP gateway. Strike two.
After shooting down the RDP idea, I thought how about we just go a little slimmer and consider using X11 forwarding. X forwarding is supposed to be good, right? Not quite, even trying to X forward a browser incredibly slow on a local network, let alone making the connection to the cloud. Strike three.
Running out of ideas at this point, I furiously searched all over the Internet and came across the concept of a SOCKS proxy over SSH. I’m familiar with forward proxying, but because I use a VPN, I’ve never really had a use for it. Diving deeper into this concept, this is exactly what I needed all along, and I didn’t have to even install any other software.
How it works
SOCKS is a network protocol that facilitates the routing of internet traffic between a client and a server via a proxy server. Unlike application-specific proxies (e.g., HTTP proxies), SOCKS operates at the transport layer, making it protocol-agnostic and capable of handling various types of traffic, including HTTP, FTP, SMTP, and more. SOCKS versions include SOCKS4 and SOCKS5, with SOCKS5 supporting advanced features like authentication and UDP traffic.
By using SSH's port forwarding capabilities, you can create a SOCKS proxy over an SSH connection. When you configure your browser to use this SOCKS proxy, all requests, including browser client-side ones, will originate from the SSH server. For all intents and purposes, it will appear that your browser is on the client machine inside the airgap.
Putting this all together
In order to acquire this functionality, it's going to require a couple of components.
You'll need:
- A modern browser capable of a proxy configuration. Nearly all browsers will do. For sake of demonstration, I will be using Firefox.
- A network with two subnets; one of which is routable to the internet and one that is not.
- Two additional hosts; one in each subnet.
- Your application server hosted inside the non-Internet routable subnet.
After setting everything up, the physical resources map as following:
┌───────────────────────────────────────────────────────────────────────────┐
│ Internet Routable Network │
│ │
│ ┌────────────────────────────────────────┐ │
│ │ Non-Internet Routable Network │ │
│ │ │ │
│ │ │ │
┌───────────────────┐ │ │ ┌───────────────┐ ┌────────────┐ │ │
│ │ │ ┌────────────────┐ │ │ │ │ │ │ │
│ Local Browser ┼──────┼───►│ SSH Gateway ├─────────┼──►│ Client device ├───►│ Server │ │ │
│ │ │ └────────────────┘ │ │ │ │ │ │ │
└───────────────────┘ │ │ └───────────────┘ └────────────┘ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └────────────────────────────────────────┘ │
│ │
│ │
└───────────────────────────────────────────────────────────────────────────┘
Accessing the client instance requires a few steps.
- Adding entries to your SSH
configfile.
Host ssh-gateway
HostName <public_ip>
User <host_user>
ForwardAgent yes
AddKeysToAgent yes
IdentityFile <location_of_gateway_private_key>
Host airgap-client
HostName <private_ip>
User <host_user>
ForwardAgent yes
AddKeysToAgent yes
IdentityFile <location_of_client_private_key>
ProxyCommand ssh -W %h:%p ssh-gateway
This configuration allows you to run a single SSH command that will use the ssh-gateway as a jump host and then forward traffic into the airgap-client instance, including SOCKS traffic. Make sure that if you have a Host * entry, these new entries are above that in the file. Order matters here.
-
Open the SOCKS proxy connection by running
ssh -D 1080 airgap-client. The-Dflag binds the SOCKS traffic to the local1080port. -
Configure the browser to use the proxy. Navigate to the settings menu and search for
socks
Change the configuration to "Manual proxy configuration" and set the SOCKS host value to localhost with a port value of 1080.
You can now access your application server over the private IP or DNS configured in your VPC. Notice that all client-side calls will be restricted to the confines of the private network. If it's not accessible on the private network, it's no longer accessible via your browser!