* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/)
* Some Clarifications and C...

# Some Clarifications and Commentary on Network Security and Covert Channels

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2015%2F12%2Fsome-clarifications-and-commentary-on-network-security-and-covert-channels%2F)  
[](https://twitter.com/share?text=Some+Clarifications+and+Commentary+on+Network+Security+and+Covert+Channels&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2015%2F12%2Fsome-clarifications-and-commentary-on-network-security-and-covert-channels%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2015%2F12%2Fsome-clarifications-and-commentary-on-network-security-and-covert-channels%2F&title=Some+Clarifications+and+Commentary+on+Network+Security+and+Covert+Channels&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2015/12/some-clarifications-and-commentary-on-network-security-and-covert-channels/&ts=markdown)  
\[\](mailto:?subject=Some Clarifications and Commentary on Network Security and Covert Channels)  
Link copied  
By [Palo Alto Networks](https://www.paloaltonetworks.com/blog/author/palo-alto-networks-staff/?ts=markdown "Posts by Palo Alto Networks")  
Dec 10, 2015  
3 minutes  
[Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown)  
[Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)  
[Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

This week, a security researcher posted a blog about the security implications of how next-generation firewalls handle TCP session setups. SC Magazine also published an article that included similar technical claims provided by the security researcher. We'd like to take the opportunity to clarify the content of these articles for our customers and the industry, because both of these writings included some inaccurate claims that may sound concerning.

One claim from the researcher is that next-generation firewalls "...are designed to permit **full TCP handshake regardless of the packet destination** ... bypassing the firewall to **any destination on the Internet, regardless of firewall rules and client restrictions**" (emphasis in the original).

This claim, as written in the blog and SC Magazine article, is false. Firewall policy is never violated. Before even a SYN is allowed through, the firewall rule base is evaluated to check if a TCP setup should be allowed at all.

After some conversation with the researcher, it appears the actual concern is that if an administrator creates a typical web browsing policy on a next-generation firewall, this allows a SYN (and in fact a complete 3-way handshake) from allowed web clients out to the internet on the standard HTTP service (tcp/80). This is true of any firewall, and anything that does otherwise is a proxy---and only if that proxy happens to already know the host is malicious.

To put this in context, it is helpful to remember that this technique is not new. Information hiding in TCP/IP is nearly as old as the stack itself (see references). This is essentially a covert channel, and as with any covert channel, it requires the adversary to already have control over both ends of the connection. This is simply one example, and in general, covert channels are limited only by the creativity and patience of the adversary. For example, data can simply be carried over normal HTTP payloads to a recently compromised WordPress site (this actually happens every day). Far simpler and more efficient, without bothering with TCP trickery---and nothing about the act of proxying does anything to stop this.

That is why it is important to focus on prevention, a key tenet of the Palo Alto Networks next-generation security platform. The layers of security provided by App-ID, Content-ID, WildFire, Traps, and the complete combination of Palo Alto Networks platform security capabilities are important in denying the adversary access to the network and endpoints at every stage in the attack lifecycle. The game of endless incident response, covert signaling, steganography, and inventorying data lost after a breach is unwinnable.

Palo Alto Networks customers are encouraged to reach out to customer support for any additional questions about this topic or any product security matter.

\-- Palo Alto Networks product security team

\*\*\*\*\*

The original researcher blog post is available at: [http://www.bugsec.com/news/firestorm/](http://www.bugsec.com/news/firestorm/)

The SC Magazine article is available at: [http://www.scmagazine.com/firestorm-vulnerability-in-firewalls-let-attackers-extract-data-from-cc-servers/article/458817/](http://www.scmagazine.com/firestorm-vulnerability-in-firewalls-let-attackers-extract-data-from-cc-servers/article/458817/)

T. Handel and M.Sandford., "Hiding data in the OSI network model," (Cambridge, U.K.), First International Workshop on Information Hiding, May-June 1996. Retrieved from: [http://chemistry47.com/PDFs/OSI%20Model/Hiding%20Data%20in%20the%20OSI%20Network%20Model.pdf](http://chemistry47.com/PDFs/OSI%20Model/Hiding%20Data%20in%20the%20OSI%20Network%20Model.pdf)

*** ** * ** ***

## Related Blogs

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### Welcoming the APAC WildFire Cloud](https://www.paloaltonetworks.com/blog/2017/09/welcoming-apac-wildfire-cloud/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Stamp out Credential Abuse with Okta and Palo Alto Networks](https://www.paloaltonetworks.com/blog/2017/06/stamp-credential-abuse-okta-palo-alto-networks/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### 5 Key Considerations When Implementing User-Based Access Controls](https://www.paloaltonetworks.com/blog/2017/01/5-key-considerations-implementing-user-based-access-controls/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### There's No "I" in Secure Network: User-Based Access Policy is a Team Effort](https://www.paloaltonetworks.com/blog/2017/01/theres-no-secure-network-user-based-access-policy-team-effort/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Don't Let Your Users Unknowingly Be the Weak Link in Your Security Infrastructure](https://www.paloaltonetworks.com/blog/2017/01/dont-let-users-unknowingly-weak-link-security-infrastructure/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Prevent Cyberattacks By Securing These Remote Access Tools](https://www.paloaltonetworks.com/blog/2016/11/prevent-cyberattacks-securing-remote-access-tools/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language