Hello and welcome to the Wednesday, April 1st, 2006 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Orlando, Florida.

And this episode is brought you by the Sandsedu batchless degree program in Applied Cybersecurity.

An interesting diary today by Xavier showing how simple it can be to bypass some more advanced

next generation firewall features like, for example, Palo Alto's application control.

What Xavier did here is essentially just set up a simple Netcat tunnel.

Now, the promise of application control is that it recognizes what application protocol is used in a certain connection,

and is then able to shut down connections on

ports that don't look like they are supporting a particular application protocol or an

application that is atypical for the particular port being used. Now, the problem here is that

it takes these next generation firewalls a little while to figure

out what application is running before it is being shut down. And what Xavier found with

Palo Alto in particular, that it takes 5,000 bytes in order to figure out what application is running,

so you're able to exfiltrate up to 5,000 bytes.

Well, Xavier turned it into a little sort of wrapper around NetCat to then be able to even

expiltrate larger files. All it takes is that you're cutting them into 5,000 byte chunks,

and everything is working just fine. So a fairly simple

and well kind of interesting also artifact here of this particular application control algorithm.

There is still of course a chance to detect it if you're looking for connections that have

just about that size or if it's just looking for connections that have just about that size,

or if it's just looking for a large number of connections on odd ports,

but this is not sort of what is then done via these application control features in your firewall.

...