Concerning Enterprise Network Vulnerability to HTTP Tunneling

It has been understood for some time that arbitrary data, including the communications associated with malicious backdoors and Trojan horses, can be tunnelled by subverting the HTTP protocol. Although there are a number of demonstration programs openly available, the risks associated with this vulnerability have not been characterised in the literature. This research investigates the nature of the vulnerability and the efficacy of contemporary network defence strategies such as firewall technology, intrusion detection systems, HTTP caching and proxying, and network address translation. All of these techniques are quite easily circumvented by HTTP tunnelling strategies. This vulnerability is serious for most enterprise environments today. The use of some Internet services is considered to be a requirement for business operations in many organisations. Even with very strict firewall rule sets and layered defence architectures, legitimate web traffic originating from within the protected network is often allowed. Web traffic also forms a large portion of the traffic crossing network boundaries, which makes the HTTP protocol an attractive target for subversion. This research explores techniques that may be used to hide malicious traffic in what seems to be legitimate HTTP traffic originating from within the protected network. The covert channel provides external control of a computer on the protected network from a machine anywhere on the Internet. The techniques explored by this project are used in parallel research projects to detect such malicious tunnel traffic and validate new intrusion detection technology.