Enterprise Network Vulnerability to HTTP Tunnelling

Dr. Scott Knight


ABSTRACT

It has been understood for some time that arbitrary data, including the communications associated with malicious backdoors and Trojan horses, can be tunnelled by subverting the HTTP protocol. Although there are a number of demonstration programs openly available, the risks associated with this vulnerability have not been characterised in the literature. This research investigates the nature of the vulnerability and the efficacy of contemporary network defence strategies such as firewall technology, intrusion detection systems, HTTP caching and proxying, and network address translation. All of these techniques are quite easily circumvented by HTTP tunnelling strategies. Web traffic also forms a large portion of the traffic crossing network boundaries, which makes the HTTP protocol an attractive target for subversion. This research explores techniques that may be used to hide malicious traffic in what seems to be legitimate HTTP traffic originating from within the protected network. A covert channel can provide external control of a computer on the protected network from a machine anywhere on the Internet. The techniques explored by this project are used in parallel research projects to detect such malicious tunnel traffic and validate new intrusion detection technology.

BIOGRAPHY

Scott Knight is an Assistant Professor in the Department of Electrical and Computer Engineering at the Royal Military College of Canada. Dr Knight has worked with the National Defence Intelligence and Security communities on the development of secure computing networks. He has founded the Computer Security Laboratory at RMC, a research group he continues to lead. This research group has a close working relationship with the Canadian Forces Information Operations Group and focuses on computer network defence and support to information operations.