Firewall Defense Against Covert Channels

Rich Savacool

Chief Security Officer

Why protect against covert channels?

• Ponemon [1]: Data breaches on the rise, costly– 94% C-levels report data attacked within last 6 months

– $204 per user record in 2009

– Data breach laws ensure negative publicity

• 2008 CSI [2]: Perimeter defenses– 94% Network-layer firewalls

– 69% Intrusion Detection Systems (IDS)

– 54% Intrusion Prevention Systems (IPS)

– 53% Application-layer firewalls

• Covert channels represent threat to confidentiality

Information Hiding

• Goals of information hiding– Confidentiality – Disclosure

– Integrity – Alteration

– Availability – Destruction

• Three main branches– Cryptography

– Steganography

– Metaferography (Covert Channels)

Cryptography

Cryptography – encryption– From the Greek κρυπτό (kryptos)

– Means “hidden” writing [3]

– Scrambles the message text

– Writing in plain view, though unreadable

Examples of Cryptography

Skytale (transposition)Confederate CipherDisc (substitution)

Examples of Cryptography (cont.)GNU Privacy Guard (gpg)

Steganography

Steganography – stego– From the Greek στεγανό (steganos)

– Means “covered” writing [4]

– Hides the message within another message

– Presence of a message concealed

Examples of SteganographyMasked letter

Examples of Steganography (cont.)

Image w/ embedded msgOriginal image

Examples of Steganography (cont.)

Letter from California governor Arnold Schwarzenegger [5]

Metaferography

Metaferography – covert channels– From the Greek μεταφέρό (metaferos)

– Means “carried” writing [3]

– Covert channels refers to specific implementation of metaferography

– Hides the message within a carrier

– Presence of a message concealed

Examples of MetaferographyCovert channels

– Wax tablets warning of Persian invasion

– Tattooed message on shaved scalp of slave

– Invisible ink used for counter-intelligence in WWII

– Microdot printing also used in spycraft during WWII

http://www.americainwwii.com/images/cloakcamera.jpg

http://en.wikipedia.org/wiki/Wax_tablet

OSI Network Model

Layer 7 — Application

Layer 6 — Presentation

Layer 5 — Session

Layer 4 — Transport

Layer 3 — Network

Layer 2 — Data Link

Layer 1 — Physical

Network-layer Firewalls

• Example: Check Point, PIX, Sonicwall, Juniper

• Prevent network-layer attacks

– spoofing

– flooding

– port scanning

• While some have add-ons for HTTP or SMTP, protection primarily limited to network attacks

• Previous research indicates not effective in detecting or preventing covert channels

Network-layer Firewalls (cont.)Check Point Firewall-1 Management GUI

Application-layer Firewalls

• Example: McAfee, ISA, Palo Alto

• Prevent application-layer attacks– Javascript attacks

– ActiveX attacks

– FTP bounce

• Offer strong protection against user-based attacks

• Require constant updates as applications evolve

• Previous research indicates limited success with L3 covert channels ― no success with L7 channels

Application-layer Firewalls (cont.)McAfee Enterprise Firewall Management GUI

Covert channel tools• Covert_tcp

– network-layer storage channel– uses IPID, ISN, or ACK fields

• CCTT– application-layer storage channel– TCP/IP tunneling through TCP, UDP, HTTP POST, or HTTP CONNECT

messages• Wsh

– application-layer storage channel– remote shell using HTTP POST requests

• Leaker/Recover– application-layer timing channel– timestamps of specially-encoded HTTP GET requests to attacker's web

server

Covert_tcp

CCTT

Wsh

Leaker/Recover

Demo

Firewall Defenses• Perform strict protocol enforcement (prevent HTTP

CONNECT over 21/tcp)

• Disable unused services or protocol features– Ex. if you do not need HTTP POST, turn it off

• Using a proxy will re-write any network-layer header-based channels

• Beware of generic socket-based protocols such as telnet

• Do not just rely on vendor-provided signatures – sample and analyze traffic

• Create custom signatures to deal with automated attacks

Final Thoughts

• Signatures require a priori knowledge of channel– antivirus/malware “arms” race

• Need heuristic or behavioral detection if unknown

• Next generation firewall will also need to understand applications, not just application-layer

• Existing IDS/IPS on firewall unlikely to replace NIDS/NIPS appliances in short-term

• Long-term trend of perimeter consolidation expected to continue

References1. Ponemon Institute, LLC. (2010, January). 2009 annual study: Cost of a

data breach. Retrieved from PGP Corporation website: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf

2. Richardson, R. (2008). Computer Security Institute (CSI). 2008 CSI Computer Crime and Security Survey. Retrieved from http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf

3. Kypros-Net lexicon [Greek-English Dictionary]. (n.d.). Retrieved March 20, 2009, from http://www.kypros.org/cgi-bin/lexicon

4. Gilbert, R. (2001, October 10). Steganography (noun). Message posted to http://www.rbgilbert.com/log/ronslog022.html

5. Woo, S. (2009, October 27). Schwarzenegger’s veto message delivers another message [Web log post]. Retrieved from Washington Wire: http://blogs.wsj.com/washwire/2009/10/27/schwarzeneggers-veto-message-delivers-another-message/

Questions?