Firewall Wizards mailing list archives
Re: Covert Channels (was dns outbound)
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Tue, 18 May 1999 07:50:08 -0700
But how far do you need to go to eliminate covert channels ?
Well.. I don't believe you can. It's a statistical problem, really. You need to be able to decide upon "normal" and then look for variations. Any protcol can be tunneled over any other, as long as it's not timing sensitive. On a really busy firewall with users doing lots of protocols, and an inside subversive tunneling out, you probably won't spot him. As long as he's not trying to get a lot of data through in a short amount of time, he might look really normal. You'd have to suspect him first, guess the method he's using, and then you'd probably spot him.
If my firewall checks for valid DNS structure in `DNS' packets, then what is to stop someone tunneling data using the "variable" part of the DNS packet, such as the IP address/domain being requested ?
Nothing.
Sure my bandwidth is not as great but it could still work. The greatest challenge here is that you need to have some way of guaranteeing that DNS packets will reach X but I can see how that could still be made to work.
Just make a a request for an authoratative lookup for a host that has never been looked up before. Obviously, you encode your data in the name. This particular tunnel (DNS) would be easier to spot than others... hostnames could be checked for human-language looking characteristics, and length.
How about transferring a file from outside to inside via a zone transfer (properly structured, data just isn't DNS data) ?
Most FW admins can block zone transfers entirely with the DNS structure they have.
You're almost saying that a firewall needs to have design properties from those A1 Orange book systems (which we all love to hate) by being careful to eliminate leakage of information.
Hmm... I don't know the standards that well. I can't imagine they do that effective a job of eliminating this threat. I wish I had one I could try to fool. Ryan
Current thread:
- Re: Covert Channels (was dns outbound) Ryan Russell (May 18)
- Re: Covert Channels (was dns outbound) Andrew Brown (May 19)
- Re: Covert Channels (was dns outbound) Stephen P. Berry (May 21)
- <Possible follow-ups>
- Re: Covert Channels (was dns outbound) Epstein, Jeremy (May 21)
- Re: Covert Channels (was dns outbound) Andrew Brown (May 21)