I heard the following quote today in a online video about a commercial product and I found it so true: “HTTP became the new TCP!”
TCP, or “Transmission Control Protocol“, runs at the transport layer (4th) of the OSI model. HTTP runs on an upper one, the application layer. Historically, HTTP was used to access web servers. The ten-years-old first websites delivered exclusively static content. The next generation delivered dynamic content (often based on data coming from SQL databases).
For a few years now, the “web 2.0” still increased interactivity between the visitors and websites. Content is not only generated by the servers but users are able to generate some data and “push” them online. Interactivity is the key word. And today, HTTP is more and more used as a “tunnel” to encapsulate a lot of data or other protocols. That’s why security policies have to keep an eye on the famous port “80”.
If you simply drop all HTTP traffic (TCP/80) at your firewall level, your users will be in trouble. As a first step, do not let HTTP traffic pass directly to the Internet but use a proxy to set up basic filtering rules. A good example is Skype which will try to use the port 80 to access the Internet (but not over HTTP). Unfortunately, not all proxies are able to perform deep inspection at the application layer. You want good examples of HTTP diversion?
- Gmail is a very common webmail interface. But how to prevent a user to send critical files attached to e-mails? (risks of data loss)
- http-tunnel let you create some kind of VPN thru HTTP.
- gbridge is an extension of Google Talk which allows you to chat, transfer files or take control of a remote computer “Ã la VNC”.
Don’t conclude too quickly that only “bad guys” will try to use HTTP in the wrong way. Even well-know commercial products implement the same kind of feature: Outlook can configured to perform RPC over HTTP.
Today, the traffic passing over HTTP must be inspected to prevent all kind of unwanted applications which can affect your security!