firewall defense against covert channels
DESCRIPTION
“Firewall Defense against Covert Channels” will explore the feasibility of using firewalls to defend against covert channels. Several open-source covert channel tools such as Covert_tcp, Wsh, and CCTT will be demonstrated and tested against a network-layer firewall as well as an application-layer firewall using the 7-layer OSI Network Model as a framework for analysis. Rich Savacool, Chief Security Officer, Nixon Peabody, LLP Rich Savacool is the Chief Security Officer for Nixon Peabody, LLP, a law firm based in Rochester, NY. He has nearly 20 years of experience in networking and systems security for both the commercial and government sectors. Rich holds numerous certifications including the CISSP, CEH, CCE, and GPEN. He has recently completed his Master’s Degree in Computer Security and Information Assurance from Rochester Institute of Technology.TRANSCRIPT
Firewall Defense Against Covert Channels
Rich Savacool
Chief Security Officer
Why protect against covert channels?
• Ponemon [1]: Data breaches on the rise, costly– 94% C-levels report data attacked within last 6 months
– $204 per user record in 2009
– Data breach laws ensure negative publicity
• 2008 CSI [2]: Perimeter defenses– 94% Network-layer firewalls
– 69% Intrusion Detection Systems (IDS)
– 54% Intrusion Prevention Systems (IPS)
– 53% Application-layer firewalls
• Covert channels represent threat to confidentiality
Information Hiding
• Goals of information hiding– Confidentiality – Disclosure
– Integrity – Alteration
– Availability – Destruction
• Three main branches– Cryptography
– Steganography
– Metaferography (Covert Channels)
Cryptography
Cryptography – encryption– From the Greek κρυπτό (kryptos)
– Means “hidden” writing [3]
– Scrambles the message text
– Writing in plain view, though unreadable
Examples of Cryptography
Skytale (transposition)Confederate CipherDisc (substitution)
Examples of Cryptography (cont.)GNU Privacy Guard (gpg)
Steganography
Steganography – stego– From the Greek στεγανό (steganos)
– Means “covered” writing [4]
– Hides the message within another message
– Presence of a message concealed
Examples of SteganographyMasked letter
Examples of Steganography (cont.)
Image w/ embedded msgOriginal image
Examples of Steganography (cont.)
Letter from California governor Arnold Schwarzenegger [5]
Metaferography
Metaferography – covert channels– From the Greek μεταφέρό (metaferos)
– Means “carried” writing [3]
– Covert channels refers to specific implementation of metaferography
– Hides the message within a carrier
– Presence of a message concealed
Examples of MetaferographyCovert channels
– Wax tablets warning of Persian invasion
– Tattooed message on shaved scalp of slave
– Invisible ink used for counter-intelligence in WWII
– Microdot printing also used in spycraft during WWII
http://www.americainwwii.com/images/cloakcamera.jpg
http://en.wikipedia.org/wiki/Wax_tablet
OSI Network Model
Layer 7 — Application
Layer 6 — Presentation
Layer 5 — Session
Layer 4 — Transport
Layer 3 — Network
Layer 2 — Data Link
Layer 1 — Physical
Network-layer Firewalls
• Example: Check Point, PIX, Sonicwall, Juniper
• Prevent network-layer attacks
– spoofing
– flooding
– port scanning
• While some have add-ons for HTTP or SMTP, protection primarily limited to network attacks
• Previous research indicates not effective in detecting or preventing covert channels
Network-layer Firewalls (cont.)Check Point Firewall-1 Management GUI
Application-layer Firewalls
• Example: McAfee, ISA, Palo Alto
• Prevent application-layer attacks– Javascript attacks
– ActiveX attacks
– FTP bounce
• Offer strong protection against user-based attacks
• Require constant updates as applications evolve
• Previous research indicates limited success with L3 covert channels ― no success with L7 channels
Application-layer Firewalls (cont.)McAfee Enterprise Firewall Management GUI
Covert channel tools• Covert_tcp
– network-layer storage channel– uses IPID, ISN, or ACK fields
• CCTT– application-layer storage channel– TCP/IP tunneling through TCP, UDP, HTTP POST, or HTTP CONNECT
messages• Wsh
– application-layer storage channel– remote shell using HTTP POST requests
• Leaker/Recover– application-layer timing channel– timestamps of specially-encoded HTTP GET requests to attacker's web
server
Covert_tcp
CCTT
Wsh
Leaker/Recover
Demo
Firewall Defenses• Perform strict protocol enforcement (prevent HTTP
CONNECT over 21/tcp)
• Disable unused services or protocol features– Ex. if you do not need HTTP POST, turn it off
• Using a proxy will re-write any network-layer header-based channels
• Beware of generic socket-based protocols such as telnet
• Do not just rely on vendor-provided signatures – sample and analyze traffic
• Create custom signatures to deal with automated attacks
Final Thoughts
• Signatures require a priori knowledge of channel– antivirus/malware “arms” race
• Need heuristic or behavioral detection if unknown
• Next generation firewall will also need to understand applications, not just application-layer
• Existing IDS/IPS on firewall unlikely to replace NIDS/NIPS appliances in short-term
• Long-term trend of perimeter consolidation expected to continue
References1. Ponemon Institute, LLC. (2010, January). 2009 annual study: Cost of a
data breach. Retrieved from PGP Corporation website: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf
2. Richardson, R. (2008). Computer Security Institute (CSI). 2008 CSI Computer Crime and Security Survey. Retrieved from http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf
3. Kypros-Net lexicon [Greek-English Dictionary]. (n.d.). Retrieved March 20, 2009, from http://www.kypros.org/cgi-bin/lexicon
4. Gilbert, R. (2001, October 10). Steganography (noun). Message posted to http://www.rbgilbert.com/log/ronslog022.html
5. Woo, S. (2009, October 27). Schwarzenegger’s veto message delivers another message [Web log post]. Retrieved from Washington Wire: http://blogs.wsj.com/washwire/2009/10/27/schwarzeneggers-veto-message-delivers-another-message/
Questions?