4. Use of Nonstandard Service Ports

4.1 What is it, how does it work, and what's the danger?

As a specific example: SSH servers by convention and in normal use listen for connections on tcp port 22, so most firewalls that block encrypted external connections via SSH block port 22. But browser traffic on tcp port 443 are often unrestricted, because an employee's connection to their banking server is generally respected as their own private business. Knowing this, having an SSH server on the outside listen on tcp port 443 can abuse this trust and arbitrary permission, and allows an SSH session to exit the enterprise network and connect to an external SSH server.

Other protocols can easily be configured to use nonstandard ports. Some organizations feel it is OK to allow FTP (file transfer protocol) on TCP port 21 because standard FTP functions are not encrypted and all conventional FTP traffic is readily visible and logged for analysis.

4.2 How to Detect and Stop

A smart firewall could be configured to detect the traditional SSH client/server handshake, much like an IPSec VPN handshake that is used to set up a session, but there needs to be sufficient capacity to perform deep inspection of the traffic to recognize the SSH handshake, among protocols that could establish unauthorized communications and transfer files while bypassing standard information controls.

Training of the user community so everyone understands this is a violation, evokes the same problem already noted in Part 2.4 - it tells many others who never thought of it, that such a mechanism is possible.

Ideally a whitelist policy (allowing only authorized connections between inside and outside) would prevent unauthorized connections to SSH or other servers on the internet.

A comprehensive strategy to detect and stop the use of nonstandard ports would rely on all of these strategies and others that are appropriate to the specific situation at hand.

4.3 Similarity to Anti-Censorship Strategies

Strategies used by TOR (the Onion Router) software to circumvent censorship as enforced by the GFWC - The Great Firewall of China has led to development of "pluggable transport" alternatives including a method called ScrambleSuit, that mimics other types of (encrypted) traffic, some of which might well be allowed to pass through various firewalls, even those specifically intending to block TOR.

Elsewhere in this book "Anti-Censorship" and distributed methods create other problems for information and network security. The masquerading of SSH (should be on port 22, normally blocked) as HTTPS (port 443, normally allowed to pass) is a strategy similar to other Anti-Censorship tools.