Profiling SSH Tunnels

A set of researchers at the Universita degli Studi di Brescia in Italy recently published a paper detailing a method to fingerprint data being tunneled over SSH, this is a particularly relevant bit of research, as more and more organizations have been busily filtering the kind of traffic allowed through their border routers. In some cases, this has been to protect internal resources, in others to restrict unauthorized use. Whatever the reason, many of these systems can be overcome by the use of tunnels, which the paper begins by discussing.

A tunnel is basically wrapping one applications protocol in a different protocol. The practice serves basically two purposes: 1. to wrap an insecure protocol in a secure one (like when using SSH) and 2. to get an unauthorized protocol out disguised as an authorized one. Of course, method 2, of which the tunneling protocol is usually HTTP, is vulnerable to the increasingly common Deep Packet Inspection that is being done, which actually opens up packets to determine what is going on inside them, and thus they are easily thwarted. However, by wrapping the illicit traffic in an encrypted SSL tunnel, the average firewall configured to allow SSL will allow the data right through.

Enter this research. It turns out that most protocols can be identified with reasonable certainty based on metrics such as the size of the packets and the time interval between sent packets. It’s really quite clever, and the mechanism used (Bayesian Filtering), is increasingly finding uses in this sort of work. The basic theory is that you can analyze the deltas (size and time) for a small set of packets, disregarding the first few packets (which are the SSH authorization packets), and within a small handful of packets, you can have a pretty good idea of what people are doing. Particularly if the behavior is allowed or not.

The general assumption espoused by the article is that the only legitimate uses for SSH are terminal sessions and file transfers, which may be true for SSH, but it’s parent SSL is used for so much more. Luckily, if you implement their technology, you can filter whatever you want. In many ways, this idea will be an incredibly useful addition to your typical Intrusion Prevention System, which already seeks to do something similar, in that it takes the model you’ve defined for acceptable behavior, and disallows anything that doesn’t fit the model. These systems are finicky, and (particularly early on) require constant monitoring and correction, but they’re a far better solution for many networks than the existing methods of fingerprint based Intrusion Detection.

Unfortunately, this system isn’t yet perfect. It will tend to view mucked up passwords as unauthorized traffic.Not to mention, all they can currently tell us is if the SSL connection is a interactive session, a file transfer, or a tunnel. Still, the research is interesting, and no doubt a lot of people in the security appliance business. I really think that the best application for this technology is as a part of a IPS.

The research isn’t ready yet, but it’s interesting, and worth looking at. I suspect that by this time next year the mathematical models for analyzing encrypted traffic will have come a long way. Of course, it does just go to show that analyzing encrypted data, even data you can’t decrypt, is always worthwhile. Watching who is communicating with whom, how often, and how much, can tell a lot about the nature of the communication, whether you’re a general in a war zone, or trying to keep filesharing off your network. Encryption is a great tool, but it still tells much to those who know how to look.