IDS mailing list archives
Re: Detecting covert data channels?
From: "vijay upadhyaya" <vijay.upadhyaya () gmail com>
Date: Mon, 28 May 2007 14:20:57 -0700
Hi Joff, This is long pending problem for IDS/IPS vendors. Not that the Solution is not availbale , it all depends on how much performance compromise u wanna agree upon v/s required security. To resolve issues with Encrypted Data, there are IPS who does MIM while key is being exchange and before sending the packet back to the trusted machine on the Internal network it decrypts the packet and if packets seems benign, the packet is encrypted and sent back to Client. Also for IPSEC VPN , Network architecture might do a trick by keeping VPN box out side IPS or putting Host based IDS/IPS on the machine u are protecting. Also Note that for Header senitization, IPS vendors are having protocol decode modules, again here the question is what u want to choose, Performance or security, Also some of the Applications and way RFC's are written(May, May nots in RFC), it becomes difficcult for IPS vendor to std-ized protocol decode module resulting sometimes in false positive and lot of tuning . Hope this helps, Regards, Vijay Upadhyaya On 5/25/07, Joff Thyer <jsthyer () gmail com> wrote:
It is reasonably trivial to encode data within packet headers, and even encrypt said data as most are probably aware. There are past examples where control information has been sent within ICMP and other packets using header fields. My question surrounds detection; given that IDS tends to be payload focused, if a covert channel exists that has encrypted data in a packet header, how do we go about detecting it? My initial thought leans toward the fact that encrypted data blocks are statistically flat over time. Given say 'snort', how can we use this idea? I am not a snort expert by any means, so please no flames! I would be happy to summarize opinions. -Joff Thyer ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
-- Vijay Upadhyaya BS-7799 Lead Auditor CISSP CSGA Nortel ASF Training Certification ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Detecting covert data channels? Joff Thyer (May 28)
- Re: Detecting covert data channels? vijay upadhyaya (May 29)
- RE: Detecting covert data channels? Omar Herrera (May 29)
- Re: Detecting covert data channels? Kowsik (May 29)
- Re: Detecting covert data channels? Eric Hacker (May 29)
- Re: Detecting covert data channels? Skip Carter (May 29)
- Re: Detecting covert data channels? Ron Gula (May 29)
- Re: Detecting covert data channels? Richard Bejtlich (May 30)
- Re: Detecting covert data channels? Jose Nazario (May 31)