Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Firewall Defense against Covert Channels



“Firewall Defense against Covert Channels” will explore the feasibility of using firewalls to defend against covert channels. Several open-source covert channel tools such as Covert_tcp, Wsh, and ...

“Firewall Defense against Covert Channels” will explore the feasibility of using firewalls to defend against covert channels. Several open-source covert channel tools such as Covert_tcp, Wsh, and CCTT will be demonstrated and tested against a network-layer firewall as well as an application-layer firewall using the 7-layer OSI Network Model as a framework for analysis.

Rich Savacool, Chief Security Officer, Nixon Peabody, LLP

Rich Savacool is the Chief Security Officer for Nixon Peabody, LLP, a law firm based in Rochester, NY. He has nearly 20 years of experience in networking and systems security for both the commercial and government sectors. Rich holds numerous certifications including the CISSP, CEH, CCE, and GPEN. He has recently completed his Master’s Degree in Computer Security and Information Assurance from Rochester Institute of Technology.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Firewall Defense against Covert Channels Firewall Defense against Covert Channels Presentation Transcript

    • Firewall Defense Against Covert Channels Rich Savacool Chief Security Officer
    • Why protect against covert channels? • Ponemon [1]: Data breaches on the rise, costly – 94% C-levels report data attacked within last 6 months – $204 per user record in 2009 – Data breach laws ensure negative publicity • 2008 CSI [2]: Perimeter defenses – 94% Network-layer firewalls – 69% Intrusion Detection Systems (IDS) – 54% Intrusion Prevention Systems (IPS) – 53% Application-layer firewalls • Covert channels represent threat to confidentiality
    • Information Hiding • Goals of information hiding – Confidentiality – Disclosure – Integrity – Alteration – Availability – Destruction • Three main branches – Cryptography – Steganography – Metaferography (Covert Channels)
    • Cryptography Cryptography – encryption – From the Greek κρυπτό (kryptos) – Means “hidden” writing [3] – Scrambles the message text – Writing in plain view, though unreadable
    • Examples of Cryptography Confederate Cipher Skytale (transposition) Disc (substitution)
    • Examples of Cryptography (cont.) GNU Privacy Guard (gpg)
    • Steganography Steganography – stego – From the Greek στεγανό (steganos) – Means “covered” writing [4] – Hides the message within another message – Presence of a message concealed
    • Examples of Steganography Masked letter
    • Examples of Steganography (cont.) Original image Image w/ embedded msg
    • Examples of Steganography (cont.) Letter from California governor Arnold Schwarzenegger [5]
    • Metaferography Metaferography – covert channels – From the Greek μεταφέρό (metaferos) – Means “carried” writing [3] – Covert channels refers to specific implementation of metaferography – Hides the message within a carrier – Presence of a message concealed
    • Examples of Metaferography Covert channels – Wax tablets warning of Persian invasion – Tattooed message on shaved scalp of slave – Invisible ink used for counter-intelligence in WWII – Microdot printing also used in spycraft during WWII http://en.wikipedia.org/ http://www.americainwwii.com/ wiki/Wax_tablet images/cloakcamera.jpg
    • OSI Network Model Layer 7 — Application Layer 6 — Presentation Layer 5 — Session Layer 4 — Transport Layer 3 — Network Layer 2 — Data Link Layer 1 — Physical
    • Network-layer Firewalls • Example: Check Point, PIX, Sonicwall, Juniper • Prevent network-layer attacks – spoofing – flooding – port scanning • While some have add-ons for HTTP or SMTP, protection primarily limited to network attacks • Previous research indicates not effective in detecting or preventing covert channels
    • Network-layer Firewalls (cont.) Check Point Firewall-1 Management GUI
    • Application-layer Firewalls • Example: McAfee, ISA, Palo Alto • Prevent application-layer attacks – Javascript attacks – ActiveX attacks – FTP bounce • Offer strong protection against user-based attacks • Require constant updates as applications evolve • Previous research indicates limited success with L3 covert channels ― no success with L7 channels
    • Application-layer Firewalls (cont.) McAfee Enterprise Firewall Management GUI
    • Covert channel tools • Covert_tcp – network-layer storage channel – uses IPID, ISN, or ACK fields • CCTT – application-layer storage channel – TCP/IP tunneling through TCP, UDP, HTTP POST, or HTTP CONNECT messages • Wsh – application-layer storage channel – remote shell using HTTP POST requests • Leaker/Recover – application-layer timing channel – timestamps of specially-encoded HTTP GET requests to attacker's web server
    • Covert_tcp
    • CCTT
    • Wsh
    • Leaker/Recover
    • Demo
    • Firewall Defenses • Perform strict protocol enforcement (prevent HTTP CONNECT over 21/tcp) • Disable unused services or protocol features – Ex. if you do not need HTTP POST, turn it off • Using a proxy will re-write any network-layer header- based channels • Beware of generic socket-based protocols such as telnet • Do not just rely on vendor-provided signatures – sample and analyze traffic • Create custom signatures to deal with automated attacks
    • Final Thoughts • Signatures require a priori knowledge of channel – antivirus/malware “arms” race • Need heuristic or behavioral detection if unknown • Next generation firewall will also need to understand applications, not just application-layer • Existing IDS/IPS on firewall unlikely to replace NIDS/NIPS appliances in short-term • Long-term trend of perimeter consolidation expected to continue
    • References 1. Ponemon Institute, LLC. (2010, January). 2009 annual study: Cost of a data breach. Retrieved from PGP Corporation website: http://www.encryptionreports.com/download/Ponemon_COB_2009_US. pdf 2. Richardson, R. (2008). Computer Security Institute (CSI). 2008 CSI Computer Crime and Security Survey. Retrieved from http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf 3. Kypros-Net lexicon [Greek-English Dictionary]. (n.d.). Retrieved March 20, 2009, from http://www.kypros.org/cgi-bin/lexicon 4. Gilbert, R. (2001, October 10). Steganography (noun). Message posted to http://www.rbgilbert.com/log/ronslog022.html 5. Woo, S. (2009, October 27). Schwarzenegger’s veto message delivers another message [Web log post]. Retrieved from Washington Wire: http://blogs.wsj.com/washwire/2009/10/27/schwarzeneggers-veto- message-delivers-another-message/
    • Questions?