“Firewall Defense against Covert Channels” will explore the feasibility of using firewalls to defend against covert channels. Several open-source covert channel tools such as Covert_tcp, Wsh, and CCTT will be demonstrated and tested against a network-layer firewall as well as an application-layer firewall using the 7-layer OSI Network Model as a framework for analysis.
Rich Savacool, Chief Security Officer, Nixon Peabody, LLP
Rich Savacool is the Chief Security Officer for Nixon Peabody, LLP, a law firm based in Rochester, NY. He has nearly 20 years of experience in networking and systems security for both the commercial and government sectors. Rich holds numerous certifications including the CISSP, CEH, CCE, and GPEN. He has recently completed his Master’s Degree in Computer Security and Information Assurance from Rochester Institute of Technology.
2. Why protect against covert channels?
• Ponemon [1]: Data breaches on the rise, costly
– 94% C-levels report data attacked within last 6 months
– $204 per user record in 2009
– Data breach laws ensure negative publicity
• 2008 CSI [2]: Perimeter defenses
– 94% Network-layer firewalls
– 69% Intrusion Detection Systems (IDS)
– 54% Intrusion Prevention Systems (IPS)
– 53% Application-layer firewalls
• Covert channels represent threat to confidentiality
3. Information Hiding
• Goals of information hiding
– Confidentiality – Disclosure
– Integrity – Alteration
– Availability – Destruction
• Three main branches
– Cryptography
– Steganography
– Metaferography (Covert Channels)
4. Cryptography
Cryptography – encryption
– From the Greek κρυπτό (kryptos)
– Means “hidden” writing [3]
– Scrambles the message text
– Writing in plain view, though unreadable
7. Steganography
Steganography – stego
– From the Greek στεγανό (steganos)
– Means “covered” writing [4]
– Hides the message within another message
– Presence of a message concealed
11. Metaferography
Metaferography – covert channels
– From the Greek μεταφέρό (metaferos)
– Means “carried” writing [3]
– Covert channels refers to specific implementation of
metaferography
– Hides the message within a carrier
– Presence of a message concealed
12. Examples of Metaferography
Covert channels
– Wax tablets warning of Persian invasion
– Tattooed message on shaved scalp of slave
– Invisible ink used for counter-intelligence in WWII
– Microdot printing also used in spycraft during WWII
http://www.americainwwii.com/
images/cloakcamera.jpg
http://en.wikipedia.org/
wiki/Wax_tablet
13. OSI Network Model
Layer 7 — Application
Layer 6 — Presentation
Layer 5 — Session
Layer 4 — Transport
Layer 3 — Network
Layer 2 — Data Link
Layer 1 — Physical
14. Network-layer Firewalls
• Example: Check Point, PIX, Sonicwall, Juniper
• Prevent network-layer attacks
– spoofing
– flooding
– port scanning
• While some have add-ons for HTTP or SMTP, protection
primarily limited to network attacks
• Previous research indicates not effective in detecting or
preventing covert channels
24. Firewall Defenses
• Perform strict protocol enforcement (prevent HTTP
CONNECT over 21/tcp)
• Disable unused services or protocol features
– Ex. if you do not need HTTP POST, turn it off
• Using a proxy will re-write any network-layer header-
based channels
• Beware of generic socket-based protocols such as telnet
• Do not just rely on vendor-provided signatures – sample
and analyze traffic
• Create custom signatures to deal with automated attacks
25. Final Thoughts
• Signatures require a priori knowledge of channel
– antivirus/malware “arms” race
• Need heuristic or behavioral detection if unknown
• Next generation firewall will also need to understand
applications, not just application-layer
• Existing IDS/IPS on firewall unlikely to replace
NIDS/NIPS appliances in short-term
• Long-term trend of perimeter consolidation expected
to continue
26. References
1. Ponemon Institute, LLC. (2010, January). 2009 annual study: Cost of a
data breach. Retrieved from PGP Corporation website:
http://www.encryptionreports.com/download/Ponemon_COB_2009_US.
pdf
2. Richardson, R. (2008). Computer Security Institute (CSI). 2008 CSI
Computer Crime and Security Survey. Retrieved from
http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf
3. Kypros-Net lexicon [Greek-English Dictionary]. (n.d.). Retrieved March
20, 2009, from http://www.kypros.org/cgi-bin/lexicon
4. Gilbert, R. (2001, October 10). Steganography (noun). Message posted
to http://www.rbgilbert.com/log/ronslog022.html
5. Woo, S. (2009, October 27). Schwarzenegger’s veto message delivers
another message [Web log post]. Retrieved from Washington Wire:
http://blogs.wsj.com/washwire/2009/10/27/schwarzeneggers-veto-
message-delivers-another-message/