Emerging networking technology used by Apple, Cisco will frustrate firewalls

Multipath TCP improves performance but hampers security

Catherine Pearce, security consultant with Neohapsis

Catherine Pearce, security consultant with Neohapsis

Today's security software is ineffective against an emerging networking technology already in use by Apple for its Siri voice-recognition software, according to research presented at the Black Hat hacking conference this week.

The technology, called Multipath TCP (MPTCP), is a souped-up sibling of TCP, a cornerstone Internet protocol for transferring data packets between computers. Cisco and Juniper have also put MPTCP in some of their equipment.

But while TCP can only use one connection path to send data, MPTCP can simultaneously use different connection paths, such as Wi-Fi and a mobile phone's data connection, which results in better performance and resiliency.

MPTCP is still in its early days, and the Internet Engineering Task Force, which creates Internet technology standards, is still studying it. But because MPTCP is already backwards-compatible with TCP, it works, and Apple uses it for Siri.

The problem is that splitting data steams over different connection paths poses thorny issues for security technologies such as firewalls and deep packet inspection software, which are designed for regular TCP, said Catherine Pearce, a security consultant with Neohapsis.

MPTCP "can be used to break pretty much every security control you throw in front of it in some way," Pearce said in a phone interview on Thursday. "As this rolls out, this is going to be huge. It doesn't change routing. It changes how networking works in some really fundamental ways."

One of MPTCP's quirks is that it decouples a TCP data stream from a specific IP address, Neohapsis wrote on its blog. Since data could come from multiple IP addresses, security devices can't see the full stream of packets to detect malicious behavior.

"Right now we know of no tool that can do it," Pearce said.

It changes the model that assumes an IP address can be attributed to a single host or that a client always connects to a specific server, she said.

Another issue is that the application sending packets can determine over which connection the packets are sent. A firewall may not be able to determine if one TCP stream is related to another, Pearce said.

MPTCP is designed for resiliency, so if one data stream is blocked by a security device, the protocol will try to find a way around it. It means that endpoints receiving data have less control and are likely to accept data streams that can't -- at least at this point -- be linked together for analysis.

The technology could be a nightmare for those fighting botnets, or networks of compromised computers used to send spam and distribute malware. Mixing the use of MPTCP with distributed anonymity services such as Tor could make the data traffic "really hard to surveil," Pearce said.

Network operators could use a blunt-force defense and block MPTCP packets since they're designated as such in the packet headers, Pearce said, but that will not be viable if many applications use it.

Networks have to support MPTCP in order for applications to utilize it. There are implementations for several operating systems, including Linux, BSD and Android, Pearce said.

Microsoft has not supported it yet for Windows, which could set the pace for how many developers eventually embrace it, she said.

The slide deck for the presentation, which Pearce gave with her colleague Patrick Thomas on Wednesday, is now online.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags NeohapsisNetworkingsecurityblack hat

More about Internet Engineering Task ForceJuniperLinuxNeohapsis

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place