Your SlideShare is downloading. ×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Firewall Defense against Covert Channels


Published on

“Firewall Defense against Covert Channels” will explore the feasibility of using firewalls to defend against covert channels. Several open-source covert channel tools such as Covert_tcp, Wsh, and …

“Firewall Defense against Covert Channels” will explore the feasibility of using firewalls to defend against covert channels. Several open-source covert channel tools such as Covert_tcp, Wsh, and CCTT will be demonstrated and tested against a network-layer firewall as well as an application-layer firewall using the 7-layer OSI Network Model as a framework for analysis.

Rich Savacool, Chief Security Officer, Nixon Peabody, LLP

Rich Savacool is the Chief Security Officer for Nixon Peabody, LLP, a law firm based in Rochester, NY. He has nearly 20 years of experience in networking and systems security for both the commercial and government sectors. Rich holds numerous certifications including the CISSP, CEH, CCE, and GPEN. He has recently completed his Master’s Degree in Computer Security and Information Assurance from Rochester Institute of Technology.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  1. Firewall Defense Against Covert Channels Rich Savacool Chief Security Officer
  2. Why protect against covert channels? • Ponemon [1]: Data breaches on the rise, costly – 94% C-levels report data attacked within last 6 months – $204 per user record in 2009 – Data breach laws ensure negative publicity • 2008 CSI [2]: Perimeter defenses – 94% Network-layer firewalls – 69% Intrusion Detection Systems (IDS) – 54% Intrusion Prevention Systems (IPS) – 53% Application-layer firewalls • Covert channels represent threat to confidentiality
  3. Information Hiding • Goals of information hiding – Confidentiality – Disclosure – Integrity – Alteration – Availability – Destruction • Three main branches – Cryptography – Steganography – Metaferography (Covert Channels)
  4. Cryptography Cryptography – encryption – From the Greek κρυπτό (kryptos) – Means “hidden” writing [3] – Scrambles the message text – Writing in plain view, though unreadable
  5. Examples of Cryptography Skytale (transposition) Confederate Cipher Disc (substitution)
  6. Examples of Cryptography (cont.) GNU Privacy Guard (gpg)
  7. Steganography Steganography – stego – From the Greek στεγανό (steganos) – Means “covered” writing [4] – Hides the message within another message – Presence of a message concealed
  8. Examples of Steganography Masked letter
  9. Examples of Steganography (cont.) Image w/ embedded msgOriginal image
  10. Examples of Steganography (cont.) Letter from California governor Arnold Schwarzenegger [5]
  11. Metaferography Metaferography – covert channels – From the Greek μεταφέρό (metaferos) – Means “carried” writing [3] – Covert channels refers to specific implementation of metaferography – Hides the message within a carrier – Presence of a message concealed
  12. Examples of Metaferography Covert channels – Wax tablets warning of Persian invasion – Tattooed message on shaved scalp of slave – Invisible ink used for counter-intelligence in WWII – Microdot printing also used in spycraft during WWII images/cloakcamera.jpg wiki/Wax_tablet
  13. OSI Network Model Layer 7 — Application Layer 6 — Presentation Layer 5 — Session Layer 4 — Transport Layer 3 — Network Layer 2 — Data Link Layer 1 — Physical
  14. Network-layer Firewalls • Example: Check Point, PIX, Sonicwall, Juniper • Prevent network-layer attacks – spoofing – flooding – port scanning • While some have add-ons for HTTP or SMTP, protection primarily limited to network attacks • Previous research indicates not effective in detecting or preventing covert channels
  15. Network-layer Firewalls (cont.) Check Point Firewall-1 Management GUI
  16. Application-layer Firewalls • Example: McAfee, ISA, Palo Alto • Prevent application-layer attacks – Javascript attacks – ActiveX attacks – FTP bounce • Offer strong protection against user-based attacks • Require constant updates as applications evolve • Previous research indicates limited success with L3 covert channels ― no success with L7 channels
  17. Application-layer Firewalls (cont.) McAfee Enterprise Firewall Management GUI
  18. Covert channel tools • Covert_tcp – network-layer storage channel – uses IPID, ISN, or ACK fields • CCTT – application-layer storage channel – TCP/IP tunneling through TCP, UDP, HTTP POST, or HTTP CONNECT messages • Wsh – application-layer storage channel – remote shell using HTTP POST requests • Leaker/Recover – application-layer timing channel – timestamps of specially-encoded HTTP GET requests to attacker's web server
  19. Covert_tcp
  20. CCTT
  21. Wsh
  22. Leaker/Recover
  23. Demo
  24. Firewall Defenses • Perform strict protocol enforcement (prevent HTTP CONNECT over 21/tcp) • Disable unused services or protocol features – Ex. if you do not need HTTP POST, turn it off • Using a proxy will re-write any network-layer header- based channels • Beware of generic socket-based protocols such as telnet • Do not just rely on vendor-provided signatures – sample and analyze traffic • Create custom signatures to deal with automated attacks
  25. Final Thoughts • Signatures require a priori knowledge of channel – antivirus/malware “arms” race • Need heuristic or behavioral detection if unknown • Next generation firewall will also need to understand applications, not just application-layer • Existing IDS/IPS on firewall unlikely to replace NIDS/NIPS appliances in short-term • Long-term trend of perimeter consolidation expected to continue
  26. References 1. Ponemon Institute, LLC. (2010, January). 2009 annual study: Cost of a data breach. Retrieved from PGP Corporation website: pdf 2. Richardson, R. (2008). Computer Security Institute (CSI). 2008 CSI Computer Crime and Security Survey. Retrieved from 3. Kypros-Net lexicon [Greek-English Dictionary]. (n.d.). Retrieved March 20, 2009, from 4. Gilbert, R. (2001, October 10). Steganography (noun). Message posted to 5. Woo, S. (2009, October 27). Schwarzenegger’s veto message delivers another message [Web log post]. Retrieved from Washington Wire: message-delivers-another-message/
  27. Questions?