Komodia's Redirector

From Komodia
Jump to: navigation, search

This page covers some aspects of Komodia's Redirector that are more technical and does not fit in the promotional web page.

Contents

How does the Redirector works

The Redirector revolves around the concept or transparent proxy, what it means is that the LSP will redirect the traffic (based on rules) to the proxy service, and all the data processing is done at the proxy level and not at the LSP level.

The advantages of this method are:

  • It gives you more flexibility in what you do with the traffic, which is required for modules such as: Socks 4/5, SSL Digestor, HTTP Parser.
  • All traffic processing is centralized, because LSP DLL is loaded per DLL, and you can find your self with 30 instances that you need to sync and control.
  • No problems with traffic that comes in number of calls, specially when dealing with overlapped calls.

Alternatives

An alternative method is to do everything inside the LSP, which is usually what programmers new to LSP do, the problems are starting with Chrome because it uses overlapped operations and when data needs to be merged because it spans across more then one function call. It is possible to develop a good filtering solution using LSP only approach, the perquisites is being an experienced LSP programmer. I consider this approach as a gamble, because when problems starts there are only handful number of programmers that are available and have the know how to solve them, and this may result in throwing everything away and starting new.

We get a request once a month to fix a LSP that was written this way.

Komodia's Redirector installation guide

There are two guides available:

Optional components available

Komodia's Redirector can have the following optional components:

FAQ

License

You can view the license to Komodia's Redirector here: License and royaltees.

Controlling API

Which languages can be used to control the Redirector?

You can use any COM aware language, which is almost any of the languages on the market, our clients have used: VS6 and above, Delphi, VB, VB.NET, C#

Do you have samples of how to control the Redirector?

All samples and instructions can be found in Komodia's Redirector API Guide.

Do I need the source code of the Redirector to control it?

No, the Redirector was designed to work the same whether it's in binary form or in source code form.

DLL framework

When do I need to use the DLL framework?

The DLL framework is needed when you want to perform:

  • Custom redirection, redirect each session to a different IP/Port or proxy.
  • Custom modification, you need to modify the data based on its content.
  • Custom logging, you want to log the data differently.

In what language can I develop the DLL?

You can use any language that supports the creation of DLL, the sample we provide is written in MSVC C++, but you can use Delphi and C# to create this DLL, as long as you adhere to the interface we require then it will work.

Winsock LSP

Why does your product uses a service and a LSP?

The reason is that modifying data inside LSP is possible but is very limited, in order to be able to do modification in a large scale there's a need for a user app application that is not limited by the mechanics of LSP, further more because LSP is loaded per process having a single application allows the user to do all the programming and decision making in one process rather then in multiple processes (all the processes that loaded the LSP).

Can I have only the LSP, without the service?

It is possible to have only LSP incase you want to only change the IP or port, but if you need to also modify the data (incase of a proxy) this becomes more complex and there are many scenarios to solve, and we don't offer a solution with only LSP which also modifies data.

Can I redirect only when my application is loaded?

Yes, there are two ways to do it:

  • You can disable the Redirector which makes it a pipe that doesn't perform any data modifications, when your application is loaded you enable the Redirector and it starts to intercept the applications again.
  • You can request for a version which isn't redirecting traffic if it detects the service is down, and when you close your application you can shutdown the service.

Interaction between the components

How does the Winsock LSP manages the interception data?

  1. The Winsock LSP queries the Redirector using COM when the applications load (the application that the Winsock LSP is part of) it checks whether this application can be intercepted, ang get the IP lists.
  2. When a connection is made the Winsock LSP checks the cached rules, if the cached rules can't give an answer if the connection can be intercepted then the Winsock LSP contact the Redirector (via COM) to check if this connection should be intercepted, and the result is cached.
  3. The cache is deleted every one minute (this timeframe settings can be changed at compile time) and the rules are queried again.

How does the Winsock LSP sends data to the Redirector?

When a connection is intercepted the Winsock LSP redirects it into the Redirector (unless specified in the proxy settings to bypass the Redirector), then the Winsock LSP sends an internal data structure which is used by the Redirector to perform the redirection, after the data structure was sent, the Winsock LSP is not doing any more modifications on the traffic.

How does the connection sequence looks like?

  1. Application tries to connect to Internet.
  2. LSP checks if it needs to be intercepted based on the interception rules.
  3. If it isn't connection is resumed normally. If it is then the LSP relays it to the Redirector.
  4. Redirector fires NewConnection (relevant for API programming only).
  5. When NewConnection finishes with the final IP/Port configuration the Redirector creates the outgoing connection to the Internet based on the parameters (Proxy, IP, Port, SSL).

Interception

Does the Redirector intercepts LocalHost addresses?

There's a compile time flag that compiles the Redirector with or without LocalHost interception support, depends on the client usage need.

Does the Redirector intercepts services?

There's a compile time flag that compiles the Redirector with or without services interception support, depends on the client usage need.

Can the Redirector intercept only HTTP traffic?

Yes and no, the Redirector checks for HTTP traffic at the service level, so you must first define interception rules that will send all relevant traffic into the Redirector, there are three ways to do it:

  • Add the names of the browsers applications you want to use.
  • Add ports 80, and 443 for SSL (if you need it), this can be also combined with the first option.
  • Set the LSP to intercept all traffic.

The same goes for HTTPS in case you want to decrypt SSL data and you have the SSL Digestor or SSL Decoder installed.

3rd party apps

Does your product works with Antiviruses and Firewalls?

Some AV and Firewall software prompts the user to allow every modification in the registry and/or LSP install, and the user will have to approve it during installation of the Redirector, the install process of the Redirector doesn't contain any code to circumvent the protection of 3rd party software.

In case there's a firewall on the system, how will it affect the Redirector?

Firewalls are either TDI or NDIS, which means that for outgoing packets they are the last decision gateway before the packet goes outside, which means it can block every traffic, including that of the Redirector, for incoming packets the firewall sees them first as they come into the computer. This means that firewalls must be enabled to allow Redirector to connect to the Internet.

Interaction with anonymizers

Anonymizers are software which routes the traffic from the computer to a 3rd party server and it used to either add anonymity to the browsing experience or bypass local security policies. There are number of anonymizers type and each can be mitigated in a different way (if that is needed).

Web anonymizers

Using a 3rd party web page, or even a remote control (like Logmein/Teamviewer) to connect to another machine. Make sure you block these requests by IP or URL.

Setting a proxy for the browser

In this scenario the user explicitly sets the proxy settings of the browser to use a server on the localhost or off the network.

Localhost server

The proxy server is on the localhost, the way to intercept the traffic going to the localhost are:

  • Incase the server is using normal unecrypted traffic, it can be intercepted on the way out.
  • Incase the server is using encrypted medium, the traffic can be intercepted on the way between the app and the server, you need to make sure you have the localhost interception flag enabled so the LSP will intercept localhost traffic, in default this flag is disabled: Komodia's Redirector#Intercept Localhost.
Remote server

The traffic will be caught on the way out, just make sure that your rules are set correctly (if you set to intercept just port 80, a proxy may bypass the interception when using another port), also the traffic may be altered, it will be formatted in number of ways:

  • HTTP Proxy format, the URL request will be modified, and some fields in the header will be suitable for a proxy.
  • HTTP Connect format, the request will be wrapped in HTTP Connect clause.
  • SOSCKS5, the request will be formatted in a SOCKS5 protocol.

Anonymizer which uses a driver/LSP

There are anonymizers that use a network component to perform the redirection, in that case you must make sure non is installed before you install the SDK, and then lock down the locations where such component can be installed (TDI, LSP, NDIS, WFP)

Known conflicts

PGP

PGP desktop installer 10.0 for Windows uninstalls all LSPs when it installs itself. Developers should monitor or protect the LSP stack to detect this case.

Pricing

You can open Komodia's Redirector official pricing to see it, you can also view our Payments and purchasing terms.

Support

What is the normal support when I purchase a product?

When buying the binary version you get 30 days of support and updates. When buying the source version you get 60 days of support and updates.

What is the cost of extra support?

The costs can be viewed in the Komodia's Redirector official pricing.

What do I get when I'm under a support contract?

Our support includes:

  • Help with integration of our products with yours, and consulting on what's the best way to you use it for your solution.
  • Bug fixes, any bugx submitted are fixes within an average time of 72 hours.
  • You receive updates for bug fixes, and updates for the features you bought.

Binary vs source

Are there any differences?

There are no differences between the versions in terms of functionality, you will be able to achieve your functionality with either versions.

Why should I buy the binary version?

Buying the binary version is recommended for clients that are on a budget or that aren't planning to learn how the product operates.

Why should I buy the source code version?

Buying the source version is recommended for clients that must do a code review due to security reasons, and consider that they might want to modify the code code at some stage.

Optional components FAQ

When do I need the HTTP Parser?

HTTP Parser is used to decode HTTP traffic, when using the Redirector without this module then you will receive HTTP requests and replies in chunks, for example if you download a big file, you will get 1.4k of data per call and you will need to assemble the data incase you want to evaluate it as a whole, the Parser assembles the requests and replies and gives it to you in one chunk, further more it also decodes HTTP encodings such as: GZIP, Inflate (Apache and IIS versions), chunked transfer which means that you always see plain text and able to modify the data easily without writing any parsers or decoders.

This module is usually used when doing content based inspection on HTTP.

SSL decoding modules

SSL decoders are used when you want to decode SSL traffic and see them as plaintext, after the SSL is decoded you are able to modify the data, and all of this without the browser alerting about the change.

When do I need the SSL Digestor?

The SSL Digestor is used when you want to support as many applications as possible and don't care about modification in the certificate, the SSL Digestor supports the following browsers:

  • Internet Explorer
  • Safari
  • Chrome
  • Firefox
  • Opera

The SSL Digestor supports the following SSL enabled email clients:

  • Outlook
  • Outlook express
  • Winmail
  • Forte agent
  • Becky! internet mail
  • Mailwasher
  • Pocomail
  • Poppeeper

The SSL Digestor supports the following SSL enabled applications:

  • iTunes

The SSL Digestor does not support the following applications:

  • Dropbox
  • Logmein
  • AIM

The SSL Digestor may support in addition any application that uses Windows or NSS certificate stores, but that's not officially supported.

Can I use the SSL Digestor to intercept more applications?

Yes, you will need to add a special cert to the root CA store of that app, this is a one time install, after that the module will decode the SSL traffic for that app.

When do I need the SSL Decoder?

The SSL Decoder is used when you don't want to modify the certificate, this module doesn't alter the certificate, and it supports Internet Explorer and Firefox only. It can't be extended to support more applications.

Do I have to buy both modules?

No, the modules exclude each other, so you can only use either the Digestor or the Decoder.

Other questions

URL branching

Can the Redirector tell what page originated which request, for example:

User browses to site X.com and in that site there's a request for an image in site Y.com, can the Redirector say that the request from Y.com was generated from the page on X.com?

The answer is that the Redirector isn't doing these kind of matching but it's possible to do using the Komodia's Redirector DLL framework guide:

  1. It's possible to extract the refer header field from each request.
  2. It's possible to parse the source web page and see which links it's using.

Optional compile time flags

These options are optional and are supplied only by request, their default state is off.

Intercept services

Enable the LSP to intercept system services.

Intercept Localhost

Enable the LSP to intercept connections to localhost.

Kill connection on switch

When this option is set the Redirector will terminate any non HTTP connection when toggling between normal and bypass mode, this is requested mostly when working with proxies.

Optional runtime flags

These flags are set via the console, from the main windows press the button: "Custom variables" in there you can set the custom flags, you need to save the data afterwards so the variables will be saved and preferably restart the service.

CustomVars.png

Disable nagle

Setting the flag: "nonagle" to the value of 1 will disable nagle algorithm on outgoing connections.

Process monitor

Setting the flag: "pmon" with a process name will cause the Redirector to track this process, when the process goes up the Redirector will enable itself, when the process goes down the Redirector will disable itself and also erase the proxy settings.

Invert hard excluded/included list

Setting this flag: "hardincludelistinversed" to 1 will inverse the lists which means that the LSP will treat every process that is not hard included as hard excluded.

This flag only applies to LSP, it does not apply to the WFP. Make sure the normal rules are the same as the inverted list (for example if you allowed just two apps, make sure the normal rules also allow just these two apps)

Custom variables

You can use this feature to add any custom variables you like, as long as their name is unique.

User experience guide

Komodia's Redirector user experience guide goes over the behaviour of the Redirector and how it affects the end user experience.

Bug fixes

Page can be found here: Komodia's Redirector bug fixes.

New features

Page can be found here: Komodia's Redirector new features.