comp.security.firewalls archive
Re: Anti-spyware at the Gateway
Date: Mon Mar 13 2006 - 19:33:39 CET
"Sebastian Gottschalk" <seppi@seppig.de> wrote in message
news:47lkceFgd9rcU1@news.dfncis.de...
> Volker Birk wrote:
>> Sebastian Gottschalk <seppi@seppig.de> wrote:
>>>>> You cannot detect arberaty tunneling techniques.
>>>> Not easily. But you can.
>>> Not easily == with exponential effort, so actually not at all
>>
>> I cannot see an algorithm wich can solve this problem.
>
> Chi square analysis allows signal composition with any precision, so
> depending on how accurate your model is, you can detect any embedding.
>
> However, such a model usually can't exist.
>
>>> Good tunneling cannot be differed from normal behaviour.
>>
>> It can by everybody who knows the encoding.
>
> What about encryption?
Encrypted data streams don't look like unencrypted data streams, and so can
be detected.
When encrypted streams are allowed only to whitelist hosts, and you don't
whitelist proxies, they become obvious.
-Russ.
Received on Mon May 1 00:56:58 2006