Covert Channel Detection
Peter Van Epp
vanepp at sfu.ca
Thu Jul 20 23:23:49 EDT 2000
While I don't know that I've seen a real example of this, I have a
couple of references to papers and code that implements covert channels which
will be undoubtably valuable at test time:
http://www.firstmonday.dk/issues/issue2_5/rowland/
http://www.detached.net/ (mailtunnel and icmptunnel, there used to be an
http tunnel too but it appears to be gone).
I'd say that probably Back Orifice and clones are more dangerous because
they will work on the average, unsecured (and unsecurable) Win desktop and
will defeat even VPN access (by being before the encryption starts). The
encryption in BO2K can make it difficult to detect in a data stream as well,
but that would be a worthwhile detector to work on (although the problem will
typically be on the user's net not yours). An argus on a 486 box (or even a
386 box) on the users net sourced from your net would be one way around this.
I' currently a little (or a lot :-) ) distracted doing up a presentation
on installing FreeBSD and argus for the local security group in a couple of
weeks. Hopefully I'll get through it soon and can devote some more cycles to
this discussion (although cleaning it up after the alpha test and releasing
the instuctions to the world are a priority too). I'm also whacking out a new
perl script to give me a better handle on napster/gnuella etc. which are
currently being a big headache (and a huge bandwith eater, 13 gigs in 24 hours
by a single machine although that one leaped out at me). Traffic volume and
traffic diversity (i.e. connections in and out to lots of different places)
are both good intrusion detectors. Its hard to usefully exploit a broken
machine without leaving a reasonably obvious (at least to a human) trail. The
trick is going to be to get software that can recognize the pattern although
I think a secure web site that will display the argus data for their machines
for administrators would be a good bet too. So many projects so little time
(and so many nagging operational fires eating play time!)
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
> Gentle people,
> Continuing the thread on new applications.
> Covert channel detection/protocol discovery is
> the number 1 issue on my list of things to do
> for Argus-2.x. This, to me, is the primary
> problem in enterprise security today, although
> not publicly recognized.
>
> A covert channel detector should be able to
> indicate what protocols are being used by
> flows, based on packet contents. I think it
> should be knowledgeable of a limited number of
> protocols (< 32), and it should have a generic
> approach to protocol discovery for protocols
> that it doesn't understand.
>
> I think that Argus can do the best job at
> this by doing some pattern recognition in the
> user traffic. I think for most purposes,
> being able to validate the protocol above the
> transport layer would be a good start.
>
> Is anyone interested in this type of work?
>
> Carter
>
>
>
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 17A
> New York, New York 10022
>
> carter at qosient.com
> Phone +1 212 813-9426
> Fax +1 212 813-9426
>
More information about the argus
mailing list