Aspera FASP HTTP Fallback Protocol - Security Considerations

Introduction

This article clarifies the substantial difference between the Aspera FASP HTTP fallback protocol and conventional HTTP based web servers. One of the conclusions is that since the Aspera HTTP fallback protocol does not require a conventional web server such as IIS or Apache, it does not require an HTTP security proxy firewall.

Aspera transfers use the company's proprietary FASP protocol for high-speed, reliable, and secure file transfers. When the Aspera FASP client does not have direct connectivity to the Internet and is only allowed to access the Aspera FASP server through a proxy, Aspera transfers fall back to an HTTP-based transfer protocol, a capability known as "HTTP Fallback".

The HTTP fallback protocol is a proprietary implementation by Aspera of the HTTP protocol used exclusively to transfer file data with the Aspera server software, following the same structure as the FASP protocol from the perspective of the transfer "session" transporting one or multiple files or directories. On the wire, the protocol presents itself as HTTP or HTTPS (configurable) such that the client-side proxy can pass it through.

 

Allowing direct firewall access for Aspera HTTP fallback transfers

We understand that the HTTP proxy device plays a valuable role in protecting web servers (such as IIS or Apache) or web applications from various types of attacks that a malicious user may mount. Such attacks include session sniffing, cross site scripting, active script injection, and others.

However, in the case of the Aspera HTTP fallback server (asperahttpd), the server software is not a generic web server or web application and cannot be exploited by any of these attacks. It does not "serve" web page content and in fact has only one function, which is to support transfers using its proprietary protocol. Authentication, data privacy and integrity are implemented specifically to protect file transfer of the HTTP Fallback protocol. This protocol is not meant to be used by browsers, so none of the regular browser-specific security concerns apply.

For example, see below the example browser output when a browser accesses the Aspera HTTP fallback server:

Screen_shot_2010-07-25_at_10.32.01_PM_normal.png

 

Below is an example server log entry when the server is accessed with a browser or any client other than an Aspera transfer client:

Jul 25 22:25:58 kub asperahttpd[30241]: LOG Someone other than an ASCP client attempted to connect to the fallback 
server!

 

Typical web application attacks would have no impact on asperahttpd, and would have to attack the transfer protocol itself. The risks of an exploit of the transfer protocol are theft of file content or a denial of service, neither of which are possible because the Aspera HTTP fallback transfer session requires secure authentication via a cryptographically generated secure token in order to begin in the first place. Thus, the very reasons to route traffic through an HTTP proxy do not apply in the case of the Aspera HTTP fallback protocol, and it would be safe to route the protocol directly through the regular firewall.

The second consideration is that even if the Aspera HTTP Fallback traffic is passed through a regular HTTP proxy, the proxy has no means to understand or interpret it because the protocol is fully proprietary and does not serve web pages in any way. See Appendix A below for a packet trace of the protocol, and specifically for a packet trace of the Aspera HTTP-based transfer protocol demonstrating a client being rejected for not having a proper authentication token.

 

Appendix A

Example server-side packet trace illustrating the special nature of the HTTP-based transfer protocol as well as the protection against unauthorized client requests:

=============================================================================================

22:45:14.972076 IP sku.asperasoft.com.41933 > kub.7070: S 2396536933:2396536933(0) win 5840 
        0x0000:  4500 003c e7a4 4000 4006 ac9c 0a00 c97d  E..<..@.@......}
        0x0010:  0a00 c8fd a3cd 1b9e 8ed8 4065 0000 0000  ..........@e....
        0x0020:  a002 16d0 52c9 0000 0204 05b4 0402 080a  ....R...........
        0x0030:  017f a7c1 0000 0000 0103 0309            ............
22:45:14.972083 IP kub.7070 > sku.asperasoft.com.41933: S 2264868147:2264868147(0) ack 2396536934 win 5792 
        0x0000:  4500 003c 0000 4000 4006 9441 0a00 c8fd  E..<..@.@..A....
        0x0010:  0a00 c97d 1b9e a3cd 86ff 2533 8ed8 4066  ...}......%3..@f
        0x0020:  a012 16a0 cb4e 0000 0204 05b4 0402 080a  .....N..........
        0x0030:  bcd8 1e8e 017f a7c1 0103 0309            ............
22:45:14.973840 IP sku.asperasoft.com.41933 > kub.7070: . ack 1 win 12 
        0x0000:  4500 0034 e7a5 4000 4006 aca3 0a00 c97d  E..4..@.@......}
        0x0010:  0a00 c8fd a3cd 1b9e 8ed8 4066 86ff 2534  ..........@f..%4
        0x0020:  8010 000c 10b0 0000 0101 080a 017f a7c2  ................
        0x0030:  bcd8 1e8e                                ....
22:45:14.974535 IP sku.asperasoft.com.41933 > kub.7070: P 1:256(255) ack 1 win 12 
        0x0000:  4500 0133 e7a6 4000 4006 aba3 0a00 c97d  E..3..@.@......}
        0x0010:  0a00 c8fd a3cd 1b9e 8ed8 4066 86ff 2534  ..........@f..%4
        0x0020:  8018 000c d8f6 0000 0101 080a 017f a7c2  ................
        0x0030:  bcd8 1e8e 504f 5354 2068 7474 703a 2f2f  ....POST.http://
        0x0040:  3130 2e30 2e32 3030 2e32 3533 3a37 3037  10.0.200.253:707
        0x0050:  302f 6173 7065 7261 2f68 7474 702f 3730  0/aspera/http/70
        0x0060:  6432 3664 3662 2d31 3531 612d 3439 3031  d26d6b-151a-4901
        0x0070:  2d61 3634 382d 3433 3239 3737 3365 3964  -a648-4329773e9d
        0x0080:  3564 2f73 6573 7369 6f6e 5f73 7461 7274  5d/session_start
        0x0090:  2f4f 4f42 2f37 3438 3362 6538 632d 3436  /OOB/7483be8c-46
        0x00a0:  3933 2d34 6134 352d 6265 3039 2d32 3633  93-4a45-be09-263
        0x00b0:  6330 3730 6235 3334 372e                 c070b5347.
22:45:14.974818 IP kub.7070 > sku.asperasoft.com.41933: . ack 256 win 14 
        0x0000:  4500 0034 3bba 4000 4006 588f 0a00 c8fd  E..4;.@.@.X.....
        0x0010:  0a00 c97d 1b9e a3cd 86ff 2534 8ed8 4165  ...}......%4..Ae
        0x0020:  8010 000e 0fae 0000 0101 080a bcd8 1e8f  ................
        0x0030:  017f a7c2                                ....
22:45:14.976624 IP sku.asperasoft.com.41933 > kub.7070: P 256:730(474) ack 1 win 12 
        0x0000:  4500 020e e7a7 4000 4006 aac7 0a00 c97d  E.....@.@......}
        0x0010:  0a00 c8fd a3cd 1b9e 8ed8 4165 86ff 2534  ..........Ae..%4
        0x0020:  8018 000c cedd 0000 0101 080a 017f a7c2  ................
        0x0030:  bcd8 1e8f 3c73 6573 7369 6f6e 3e0a 0a20  .......
        0x0040:  203c 6964 3e37 3064 3236 6436 622d 3135  .70d26d6b-15
        0x0050:  3161 2d34 3930 312d 6136 3438 2d34 3332  1a-4901-a648-432
        0x0060:  3937 3733 6539 6435 643c 2f69 643e 0a20  9773e9d5d..
        0x0070:  203c 6f70 6572 6174 696f 6e3e 7075 743c  .put<
        0x0080:  2f6f 7065 7261 7469 6f6e 3e0a 0a20 203c  /operation>....<
        0x0090:  746f 6b65 6e3e 3c2f 746f 6b65 6e3e 0a0a  token>..
        0x00a0:  2020 3c73 6f75 7263 653e 6632 3c2f 736f  ..f2... sku.asperasoft.com.41933: . ack 730 win 16 
        0x0000:  4500 0034 3bbb 4000 4006 588e 0a00 c8fd  E..4;.@.@.X.....
        0x0010:  0a00 c97d 1b9e a3cd 86ff 2534 8ed8 433f  ...}......%4..C?
        0x0020:  8010 0010 0dd2 0000 0101 080a bcd8 1e8f  ................
        0x0030:  017f a7c2                                ....
22:45:14.985118 IP kub.7070 > sku.asperasoft.com.41933: P 1:146(145) ack 730 win 16 
        0x0000:  4500 00c5 3bbc 4000 4006 57fc 0a00 c8fd  E...;.@.@.W.....
        0x0010:  0a00 c97d 1b9e a3cd 86ff 2534 8ed8 433f  ...}......%4..C?
        0x0020:  8018 0010 7290 0000 0101 080a bcd8 1e91  ....r...........
        0x0030:  017f a7c2 4854 5450 2f31 2e30 2034 3033  ....HTTP/1.0.403
        0x0040:  2046 6f72 6269 6464 656e 0d0a 436f 6e74  .Forbidden..Cont
        0x0050:  656e 742d 4c65 6e67 7468 3a20 300d 0a43  ent-Length:.0..C
        0x0060:  6f6e 7465 6e74 2d54 7970 653a 2061 7070  ontent-Type:.app
        0x0070:  6c69 6361 7469 6f6e 2f6f 6374 6574 2d73  lication/octet-s
        0x0080:  7472 6561 6d0d 0a44 6174 653a 206d 6f6e  tream..Date:.mon
        0x0090:  2c20 3236 206a 756c 2032 3031 3020 3035  ,.26.jul.2010.05
        0x00a0:  3a34 353a 3134 2067 6d74 0d0a 782d 7265  :45:14.gmt..x-re
        0x00b0:  616c 2d6d 676d 742d 6572                 al-mgmt-er
22:45:14.985563 IP kub.7070 > sku.asperasoft.com.41933: F 146:146(0) ack 730 win 16 
        0x0000:  4500 0034 3bbd 4000 4006 588c 0a00 c8fd  E..4;.@.@.X.....
        0x0010:  0a00 c97d 1b9e a3cd 86ff 25c5 8ed8 433f  ...}......%...C?
        0x0020:  8011 0010 0d3e 0000 0101 080a bcd8 1e91  .....>..........
        0x0030:  017f a7c2                                ....
22:45:14.989651 IP sku.asperasoft.com.41933 > kub.7070: . ack 146 win 14 
        0x0000:  4500 0034 e7a8 4000 4006 aca0 0a00 c97d  E..4..@.@......}
        0x0010:  0a00 c8fd a3cd 1b9e 8ed8 433f 86ff 25c5  ..........C?..%.
        0x0020:  8010 000e 0d3e 0000 0101 080a 017f a7c5  .....>..........
        0x0030:  bcd8 1e91                                ....
22:45:14.990387 IP sku.asperasoft.com.41933 > kub.7070: F 730:730(0) ack 147 win 14 
        0x0000:  4500 0034 e7a9 4000 4006 ac9f 0a00 c97d  E..4..@.@......}
        0x0010:  0a00 c8fd a3cd 1b9e 8ed8 433f 86ff 25c6  ..........C?..%.
        0x0020:  8011 000e 0d3b 0000 0101 080a 017f a7c6  .....;..........
        0x0030:  bcd8 1e91                                ....
22:45:14.990408 IP kub.7070 > sku.asperasoft.com.41933: . ack 731 win 16 
        0x0000:  4500 0034 3bbe 4000 4006 588b 0a00 c8fd  E..4;.@.@.X.....
        0x0010:  0a00 c97d 1b9e a3cd 86ff 25c6 8ed8 4340  ...}......%...C@
        0x0020:  8010 0010 0d38 0000 0101 080a bcd8 1e92  .....8..........
        0x0030:  017f a7c6                                ....
22:45:14.994853 IP sku.asperasoft.com.41934 > kub.7070: S 2393061997:2393061997(0) win 5840 
        0x0000:  4500 003c 9dab 4000 4006 f695 0a00 c97d  E..<..@.@......}
        0x0010:  0a00 c8fd a3ce 1b9e 8ea3 3a6d 0000 0000  ..........:m....
        0x0020:  a002 16d0 58f0 0000 0204 05b4 0402 080a  ....X...........
        0x0030:  017f a7c6 0000 0000 0103 0309            ............
22:45:14.994880 IP kub.7070 > sku.asperasoft.com.41934: S 2294483542:2294483542(0) ack 2393061998 win 5792 
        0x0000:  4500 003c 0000 4000 4006 9441 0a00 c8fd  E..<..@.@..A....
        0x0010:  0a00 c97d 1b9e a3ce 88c3 0a56 8ea3 3a6e  ...}.......V..:n
        0x0020:  a012 16a0 ea88 0000 0204 05b4 0402 080a  ................
        0x0030:  bcd8 1e94 017f a7c6 0103 0309            ............
22:45:14.996327 IP sku.asperasoft.com.41934 > kub.7070: . ack 1 win 12 
        0x0000:  4500 0034 9dac 4000 4006 f69c 0a00 c97d  E..4..@.@......}
        0x0010:  0a00 c8fd a3ce 1b9e 8ea3 3a6e 88c3 0a57  ..........:n...W
        0x0020:  8010 000c 2fea 0000 0101 080a 017f a7c7  ..../...........
        0x0030:  bcd8 1e94                                ....
22:45:14.996527 IP sku.asperasoft.com.41934 > kub.7070: P 1:232(231) ack 1 win 12 
        0x0000:  4500 011b 9dad 4000 4006 f5b4 0a00 c97d  E.....@.@......}
        0x0010:  0a00 c8fd a3ce 1b9e 8ea3 3a6e 88c3 0a57  ..........:n...W
        0x0020:  8018 000c af41 0000 0101 080a 017f a7c7  .....A..........
        0x0030:  bcd8 1e94 504f 5354 2068 7474 703a 2f2f  ....POST.http://
        0x0040:  3130 2e30 2e32 3030 2e32 3533 3a37 3037  10.0.200.253:707
        0x0050:  302f 6173 7065 7261 2f68 7474 702f 3730  0/aspera/http/70
        0x0060:  6432 3664 3662 2d31 3531 612d 3439 3031  d26d6b-151a-4901
        0x0070:  2d61 3634 382d 3433 3239 3737 3365 3964  -a648-4329773e9d
        0x0080:  3564 2f73 6573 7369 6f6e 5f65 6e64 2f4f  5d/session_end/O
        0x0090:  4f42 2f39 6636 3964 6131 352d 6161 3966  OB/9f69da15-aa9f
        0x00a0:  2d34 3733 662d 3832 6662 2d32 3039 3039  -473f-82fb-20909
        0x00b0:  6235 3436 3132 372e 6269                 b546127.bi
22:45:14.996554 IP kub.7070 > sku.asperasoft.com.41934: . ack 232 win 14 
        0x0000:  4500 0034 14c3 4000 4006 7f86 0a00 c8fd  E..4..@.@.......
        0x0010:  0a00 c97d 1b9e a3ce 88c3 0a57 8ea3 3b55  ...}.......W..;U
        0x0020:  8010 000e 2f01 0000 0101 080a bcd8 1e94  ..../...........
        0x0030:  017f a7c7                                ....
22:45:14.998333 IP sku.asperasoft.com.41934 > kub.7070: P 232:521(289) ack 1 win 12 
        0x0000:  4500 0155 9dae 4000 4006 f579 0a00 c97d  E..U..@.@..y...}
        0x0010:  0a00 c8fd a3ce 1b9e 8ea3 3b55 88c3 0a57  ..........;U...W
        0x0020:  8018 000c 4a8d 0000 0101 080a 017f a7c8  ....J...........
        0x0030:  bcd8 1e94 3c73 6573 7369 6f6e 3e0a 0a20  .......
        0x0040:  203c 7265 6173 6f6e 3e45 5252 4f52 3c2f  .ERROR</
        0x0050:  7265 6173 6f6e 3e0a 2020 3c63 6f64 653e  reason>... 0x0060: 3334 3c2f 636f 6465 3e0a 0a20 203c 7374 34.................0</
        0x00a0:  6669 6c65 735f 6174 7465 6d70 7465 643e  files_attempted>
        0x00b0:  0a20 2020 2020 2020 3c66                 ........ sku.asperasoft.com.41934: . ack 521 win 16 
        0x0000:  4500 0034 14c4 4000 4006 7f85 0a00 c8fd  E..4..@.@.......
        0x0010:  0a00 c97d 1b9e a3ce 88c3 0a57 8ea3 3c76  ...}.......W.. sku.asperasoft.com.41934: F 1:1(0) ack 521 win 16 
        0x0000:  4500 0034 14c5 4000 4006 7f84 0a00 c8fd  E..4..@.@.......
        0x0010:  0a00 c97d 1b9e a3ce 88c3 0a57 8ea3 3c76  ...}.......W.. kub.7070: F 521:521(0) ack 2 win 12 
        0x0000:  4500 0034 9daf 4000 4006 f699 0a00 c97d  E..4..@.@......}
        0x0010:  0a00 c8fd a3ce 1b9e 8ea3 3c76 88c3 0a58  .......... sku.asperasoft.com.41934: . ack 522 win 16 
        0x0000:  4500 0034 14c6 4000 4006 7f83 0a00 c8fd  E..4..@.@.......
        0x0010:  0a00 c97d 1b9e a3ce 88c3 0a58 8ea3 3c77  ...}.......X..
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk