Download - Firewall Defense against Covert Channels
Firewall Defense Against Covert Channels
Rich Savacool
Chief Security Officer
Why protect against covert channels?
• Ponemon [1]: Data breaches on the rise, costly– 94% C-levels report data attacked within last 6 months
– $204 per user record in 2009
– Data breach laws ensure negative publicity
• 2008 CSI [2]: Perimeter defenses– 94% Network-layer firewalls
– 69% Intrusion Detection Systems (IDS)
– 54% Intrusion Prevention Systems (IPS)
– 53% Application-layer firewalls
• Covert channels represent threat to confidentiality
Information Hiding
• Goals of information hiding– Confidentiality – Disclosure
– Integrity – Alteration
– Availability – Destruction
• Three main branches– Cryptography
– Steganography
– Metaferography (Covert Channels)
Cryptography
Cryptography – encryption– From the Greek κρυπτό (kryptos)
– Means “hidden” writing [3]
– Scrambles the message text
– Writing in plain view, though unreadable
Examples of Cryptography
Skytale (transposition)Confederate CipherDisc (substitution)
Examples of Cryptography (cont.)GNU Privacy Guard (gpg)
Steganography
Steganography – stego– From the Greek στεγανό (steganos)
– Means “covered” writing [4]
– Hides the message within another message
– Presence of a message concealed
Examples of SteganographyMasked letter
Examples of Steganography (cont.)
Image w/ embedded msgOriginal image
Examples of Steganography (cont.)
Letter from California governor Arnold Schwarzenegger [5]
Metaferography
Metaferography – covert channels– From the Greek μεταφέρό (metaferos)
– Means “carried” writing [3]
– Covert channels refers to specific implementation of metaferography
– Hides the message within a carrier
– Presence of a message concealed
Examples of MetaferographyCovert channels
– Wax tablets warning of Persian invasion
– Tattooed message on shaved scalp of slave
– Invisible ink used for counter-intelligence in WWII
– Microdot printing also used in spycraft during WWII
http://www.americainwwii.com/images/cloakcamera.jpg
http://en.wikipedia.org/wiki/Wax_tablet
OSI Network Model
Layer 7 — Application
Layer 6 — Presentation
Layer 5 — Session
Layer 4 — Transport
Layer 3 — Network
Layer 2 — Data Link
Layer 1 — Physical
Network-layer Firewalls
• Example: Check Point, PIX, Sonicwall, Juniper
• Prevent network-layer attacks
– spoofing
– flooding
– port scanning
• While some have add-ons for HTTP or SMTP, protection primarily limited to network attacks
• Previous research indicates not effective in detecting or preventing covert channels
Network-layer Firewalls (cont.)Check Point Firewall-1 Management GUI
Application-layer Firewalls
• Example: McAfee, ISA, Palo Alto
• Prevent application-layer attacks– Javascript attacks
– ActiveX attacks
– FTP bounce
• Offer strong protection against user-based attacks
• Require constant updates as applications evolve
• Previous research indicates limited success with L3 covert channels ― no success with L7 channels
Application-layer Firewalls (cont.)McAfee Enterprise Firewall Management GUI
Covert channel tools• Covert_tcp
– network-layer storage channel– uses IPID, ISN, or ACK fields
• CCTT– application-layer storage channel– TCP/IP tunneling through TCP, UDP, HTTP POST, or HTTP CONNECT
messages• Wsh
– application-layer storage channel– remote shell using HTTP POST requests
• Leaker/Recover– application-layer timing channel– timestamps of specially-encoded HTTP GET requests to attacker's web
server
Covert_tcp
CCTT
Wsh
Leaker/Recover
Demo
Firewall Defenses• Perform strict protocol enforcement (prevent HTTP
CONNECT over 21/tcp)
• Disable unused services or protocol features– Ex. if you do not need HTTP POST, turn it off
• Using a proxy will re-write any network-layer header-based channels
• Beware of generic socket-based protocols such as telnet
• Do not just rely on vendor-provided signatures – sample and analyze traffic
• Create custom signatures to deal with automated attacks
Final Thoughts
• Signatures require a priori knowledge of channel– antivirus/malware “arms” race
• Need heuristic or behavioral detection if unknown
• Next generation firewall will also need to understand applications, not just application-layer
• Existing IDS/IPS on firewall unlikely to replace NIDS/NIPS appliances in short-term
• Long-term trend of perimeter consolidation expected to continue
References1. Ponemon Institute, LLC. (2010, January). 2009 annual study: Cost of a
data breach. Retrieved from PGP Corporation website: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf
2. Richardson, R. (2008). Computer Security Institute (CSI). 2008 CSI Computer Crime and Security Survey. Retrieved from http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf
3. Kypros-Net lexicon [Greek-English Dictionary]. (n.d.). Retrieved March 20, 2009, from http://www.kypros.org/cgi-bin/lexicon
4. Gilbert, R. (2001, October 10). Steganography (noun). Message posted to http://www.rbgilbert.com/log/ronslog022.html
5. Woo, S. (2009, October 27). Schwarzenegger’s veto message delivers another message [Web log post]. Retrieved from Washington Wire: http://blogs.wsj.com/washwire/2009/10/27/schwarzeneggers-veto-message-delivers-another-message/
Questions?