Firewall Wizards: Re: dns outbound

[Bennett Todd <bet () newritz mordor net>]

1999-05-18-13:52:46 Darren Reed:
> But how far do you need to go to eliminate covert channels? If my firewall
> checks for valid DNS structure in `DNS' packets, then what is to stop
> someone tunneling data using the "variable" part of the DNS packet, such as
> the IP address/domain being requested ? Sure my bandwidth is not as great
> but it could still work.
I think the sensible approach is multi-part.

Don't leave un-auditable channels open --- no SSL until and unless we get a
man-in-the-middle proxy, for example.

When you are leaving a relatively unhindered proxy --- e.g. an http proxy, or
a DNS proxying service (though I still prefer to completely block all DNS
lookups across the firewall, and let clients pass the text internet domain
names to non-transparent proxies where they are resolved), or SMTP, check
those fields that you can, just to help cut down on the available bandwidth a
little more if possible, then do a smigeon of traffic analysis. If you care
about tunnels, make sure you capture all traffic that passes through, and
periodically analyze for traffic volume distributions over endpoint pairs;
pretty quickly you can come up with norms for any given service, relaxed
enough to have few false positives, and yet tight enough to catch someone
tunneling anything like IP _very_ quickly:-). The hard (impossible) to detect
problem is someone who sets up something like a remote command execution
facility over a stegonographic channel concealed in normal-looking email.

-Bennett