I just watched this video about ‘breaking out’ of a network by bypassing a firewall via tunneling, proxy, and other techniques.
I was aware of some of the techniques, but learned about a few interesting tools and more obscure techniques, like using DNS requests for data exfiltration.
Starting at 23:38 in the video, he mentions that “there are probably an awful lot of alarms and trip wires” to detect tunneling and proxy activity, and that there are tools to detect “long lived” connections through the firewall on ports that should normally only have brief connections.
I’m currently using a SonicWall firewall, and other than the “App Control” feature that can detect some VPN services, I’m not aware how I could detect such outbound connections based on their persistence.
Is there a term for this type of generic “persistent” connection detection in firewalls?
Is there a type of firewall rule or configuration that would detect such connections? Or would that require more advanced network monitoring tools or analysis of firewall logs?