Protocol tunneling is a technique used to encapsulate data packets of one protocol in a separate packet that is the characteristic of another protocol.
Protocol tunneling has several legitimate uses. It is typically employed to transmit private data over a public network or encrypt sensitive data.
However, attackers may use protocol tunneling to their advantage by tunneling malicious packets in protocols permitted by the network firewall. Due to the complexity of a tunneled packet, most firewalls are unable to detect its dual nature.
A firewall is a device that inspects inbound packets. It can block or permit any packet, depending on the access control rules used to configure it.
A tunneled packet is embedded in a second packet which is characteristic of some other protocol. This enables the attacker to trick the firewall into believing that the inbound packet is characteristic of the outer protocol.
Once the firewall permits the tunneled packet, it is sent to the corresponding server, which parses the malicious payload and transmits it to the receiver.
It is important to note that implementing protocol tunneling requires both the sender and receiver to be involved in the attack. If the server is not aware that the packet is a tunneled one, it will not parse the malicious payload and transmit it to the intended receiver.
Therefore, packet tunneling is not useful for initial attacks.
Firewalls work in accordance with an access control policy, which is a set of rules used to decide which inbound packets are to be denied or permitted.
Firewalls may deny or permit a packet based on its protocol.
For example, a firewall may deny all TCP packets with source IP 192.168.5.1. If the user operating on this IP is an attacker, they can tunnel the malicious TCP payload in an email. Emails use the SMTP protocol; upon receiving the SMTP packet, the firewall will likely permit the packet as it will fail to detect the tunneled TCP packet inside it.
Once the mail-server has received the email packet, it would be transmitted to the receiver’s IP address.
View all Courses