'Impersonating' existing protocols

Many firewalls look only at the port number

Most firewalls only limit inbound access

Most firewalls support much more than necessary
SMTP, DNS, ping, etc

Often, covert channels can simply use other open ports
    /usr/sbin/sshd -p 80
    /usr/sbin/sshd -p 443