Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Detecting covert data channels?

from [vijay upadhyaya] Network Security [Permanent Link]
Subject: Re: Detecting covert data channels?
Date: Mon, 28 May 2007 14:20:57 -0700 
Hi Joff,
This is long pending problem for IDS/IPS vendors. Not that the
Solution is not availbale , it all depends on how much performance
compromise u wanna agree upon v/s required  security.

To resolve issues with Encrypted Data, there are IPS who does MIM
while key is being exchange and before sending the packet back to the
trusted machine on the Internal network it decrypts the packet and if
packets seems benign, the packet is encrypted and sent back to Client.
Also for IPSEC VPN , Network architecture might do a trick by keeping
VPN box out side IPS or putting Host based IDS/IPS on the machine u
are protecting.

Also Note that for  Header senitization, IPS vendors are having
protocol decode modules, again here the question is what u want to
choose, Performance or security, Also some of the Applications and way
RFC's are written(May, May nots in RFC), it  becomes difficcult for
IPS vendor to std-ized protocol decode module resulting sometimes in
false positive and lot of tuning .

Hope this helps,
Regards,
Vijay Upadhyaya

On 5/25/07, Joff Thyer <jsthyer@gmail.com> wrote: 
It is reasonably trivial to encode data within packet headers, and
even encrypt said data as most are probably aware.  There are past
examples where control information has been sent within ICMP and other
packets using header fields.

My question surrounds detection; given that IDS tends to be payload
focused, if a covert channel exists that has encrypted data in a
packet header, how do we go about detecting it?

My initial thought leans toward the fact that encrypted data blocks
are statistically flat over time.  Given say 'snort', how can we use
this idea?   I am not a snort expert by any means, so please no
flames!

I would be happy to summarize opinions.

-Joff Thyer

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------




--
Vijay Upadhyaya
BS-7799 Lead Auditor
CISSP
CSGA
Nortel ASF Training Certification

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: automatic signature generation, Oleg Kolesnikov x 133
Next by Date:  RE: Detecting covert data channels?, Omar Herrera
Previous by Thread:  Detecting covert data channels?, Joff Thyer
Next by Thread:  RE: Detecting covert data channels?, Omar Herrera
Indexes:  [Date] [Thread] [Top] [All Lists]