How can SSL tunneling be used to attack a target, and how can I prevent such thing from happening? Does modern network/appliction firewalls have the capability to detect SSL tunneling? thanks
Update: I have read how SSL tunnel work. But for an attacker outside the organization, how is he/she going to set up the "receiving" channel unless the somewhere in the organization, some computer has got compromised and this outside hacker has access to it?
A tunnel is used to bypass restrictions on a system. In the case of an SSL or TLS tunnel, you would try to bypass restrictions by encrypting the communication.
For example, suppose your organization has a rule that no .exe files should be downloaded from outside sources. By setting up an SSL or TLS tunnel, you could download a .exe file, and it would be encrypted during transfer - so if the network is monitored, the .exe file won't be spotted.
(Obviously the organization should have more defenses against foreign .exe files, and employees with a better sense of responsibility - but that's beside the point).
You could make it impossible to use SSL/TLS traffic on your network, but that is often not an option in practice - it would also hamper the many legitimate uses of SSL/TLS, like logging on to webmail.
You could restrict the hosts to which SSL/TLS connections could be made, although determining which hosts should be allowed is likely to be a lot of work.
In response to your update: without access to at least some of the organization's infrastructure, the attacker cannot set up the receiving end. But "access" is a broad concept here: if the attacker can trick an employee, for example by making a genuine-looking website, that is enough.
The defense here are the certificates that SSL and TLS use to prove one's identity. The risk is that people may not pay attention to security warnings about certificates, or that a root certificate is compromised (e.g. DigiNotar).
SSL Tunneling is the act of transferring data inside SSL (or now more likely TLS which has replaced SSL). Anyone outside of the network communications looking in would only see an SSL connection.
Tunneling is not really a form of attacking a target, rather a method of hiding or securing a communications channel. It could however be used as part of an attack, or a supplement.
You can always block the SSL port which is 443. This would however stop any other SSL connections on this port which are quite often needed to allow normal traffic, for example logging into stack overflow. You can do more advanced topics such as inspecting the details of an SSL connection to see if it looks abnormal or different, but this then starts to get you into analytic topics of what is or isn't normal SSL connections whcih a normal firewall probably wont do.
