“Firewall Defense against Covert Channels” will explore the feasibility of using firewalls to defend against covert channels. Several open-source covert channel tools such as Covert_tcp, Wsh, and CCTT will be demonstrated and tested against a network-layer firewall as well as an application-layer firewall using the 7-layer OSI Network Model as a framework for analysis. Rich Savacool, Chief Security Officer, Nixon Peabody, LLP Rich Savacool is the Chief Security Officer for Nixon Peabody, LLP, a law firm based in Rochester, NY. He has nearly 20 years of experience in networking and systems security for both the commercial and government sectors. Rich holds numerous certifications including the CISSP, CEH, CCE, and GPEN. He has recently completed his Master’s Degree in Computer Security and Information Assurance from Rochester Institute of Technology.

1. Firewall Defense Against Covert
Channels
Rich Savacool
Chief Security Officer

2. Why protect against covert channels?
• Ponemon [1]: Data breaches on the rise, costly
– 94% C-levels report data attacked within last 6 months
– $204 per user record in 2009
– Data breach laws ensure negative publicity
• 2008 CSI [2]: Perimeter defenses
– 94% Network-layer firewalls
– 69% Intrusion Detection Systems (IDS)
– 54% Intrusion Prevention Systems (IPS)
– 53% Application-layer firewalls
• Covert channels represent threat to confidentiality

3. Information Hiding
• Goals of information hiding
– Confidentiality – Disclosure
– Integrity – Alteration
– Availability – Destruction
• Three main branches
– Cryptography
– Steganography
– Metaferography (Covert Channels)

4. Cryptography
Cryptography – encryption
– From the Greek κρυπτό (kryptos)
– Means “hidden” writing [3]
– Scrambles the message text
– Writing in plain view, though unreadable

5. Examples of Cryptography
Skytale (transposition)
Confederate Cipher
Disc (substitution)

6. Examples of Cryptography (cont.)
GNU Privacy Guard (gpg)

7. Steganography
Steganography – stego
– From the Greek στεγανό (steganos)
– Means “covered” writing [4]
– Hides the message within another message
– Presence of a message concealed

8. Examples of Steganography
Masked letter

9. Examples of Steganography (cont.)
Image w/ embedded msg
Original image

10. Examples of Steganography (cont.)
Letter from California governor Arnold Schwarzenegger [5]

11. Metaferography
Metaferography – covert channels
– From the Greek μεταφέρό (metaferos)
– Means “carried” writing [3]
– Covert channels refers to specific implementation of
metaferography
– Hides the message within a carrier
– Presence of a message concealed

12. Examples of Metaferography
Covert channels
– Wax tablets warning of Persian invasion
– Tattooed message on shaved scalp of slave
– Invisible ink used for counter-intelligence in WWII
– Microdot printing also used in spycraft during WWII
http://www.americainwwii.com/
images/cloakcamera.jpg
http://en.wikipedia.org/
wiki/Wax_tablet

13. OSI Network Model
Layer 7 — Application
Layer 6 — Presentation
Layer 5 — Session
Layer 4 — Transport
Layer 3 — Network
Layer 2 — Data Link
Layer 1 — Physical

14. Network-layer Firewalls
• Example: Check Point, PIX, Sonicwall, Juniper
• Prevent network-layer attacks
– spoofing
– flooding
– port scanning
• While some have add-ons for HTTP or SMTP, protection
primarily limited to network attacks
• Previous research indicates not effective in detecting or
preventing covert channels

15. Network-layer Firewalls (cont.)
Check Point Firewall-1 Management GUI

16. Application-layer Firewalls
• Example: McAfee, ISA, Palo Alto
• Prevent application-layer attacks
– Javascript attacks
– ActiveX attacks
– FTP bounce
• Offer strong protection against user-based attacks
• Require constant updates as applications evolve
• Previous research indicates limited success with L3 covert
channels ― no success with L7 channels

17. Application-layer Firewalls (cont.)
McAfee Enterprise Firewall Management GUI

18. Covert channel tools
• Covert_tcp
– network-layer storage channel
– uses IPID, ISN, or ACK fields
• CCTT
– application-layer storage channel
– TCP/IP tunneling through TCP, UDP, HTTP POST, or HTTP CONNECT
messages
• Wsh
– application-layer storage channel
– remote shell using HTTP POST requests
• Leaker/Recover
– application-layer timing channel
– timestamps of specially-encoded HTTP GET requests to attacker's web
server

19. Covert_tcp

20. CCTT

21. Wsh

22. Leaker/Recover

23. Demo

24. Firewall Defenses
• Perform strict protocol enforcement (prevent HTTP
CONNECT over 21/tcp)
• Disable unused services or protocol features
– Ex. if you do not need HTTP POST, turn it off
• Using a proxy will re-write any network-layer header-
based channels
• Beware of generic socket-based protocols such as telnet
• Do not just rely on vendor-provided signatures – sample
and analyze traffic
• Create custom signatures to deal with automated attacks

25. Final Thoughts
• Signatures require a priori knowledge of channel
– antivirus/malware “arms” race
• Need heuristic or behavioral detection if unknown
• Next generation firewall will also need to understand
applications, not just application-layer
• Existing IDS/IPS on firewall unlikely to replace
NIDS/NIPS appliances in short-term
• Long-term trend of perimeter consolidation expected
to continue

26. References
1. Ponemon Institute, LLC. (2010, January). 2009 annual study: Cost of a
data breach. Retrieved from PGP Corporation website:
http://www.encryptionreports.com/download/Ponemon_COB_2009_US.
pdf
2. Richardson, R. (2008). Computer Security Institute (CSI). 2008 CSI
Computer Crime and Security Survey. Retrieved from
http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf
3. Kypros-Net lexicon [Greek-English Dictionary]. (n.d.). Retrieved March
20, 2009, from http://www.kypros.org/cgi-bin/lexicon
4. Gilbert, R. (2001, October 10). Steganography (noun). Message posted
to http://www.rbgilbert.com/log/ronslog022.html
5. Woo, S. (2009, October 27). Schwarzenegger’s veto message delivers
another message [Web log post]. Retrieved from Washington Wire:
http://blogs.wsj.com/washwire/2009/10/27/schwarzeneggers-veto-
message-delivers-another-message/

27. Questions?