In a previous post, I pointed to an article which described how to set up a covert channel which would use HTTP proxies to get to the outside world. The same group (Gray-World) that posted that article has also posted this one which describes how to detect those covert channels.
Note: Gray-Worlds alternate title (slogan?) is: Network Access Control Systems bypassing.
This site has a lot of discussion (and tools) about setting up covert channels.