Honeypots / honeynets

Similar documents
Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Second-generation (GenII) honeypots

Securing the system using honeypot in cloud computing environment

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Dynamic Honeypot Construction

Use of Honeypots to Increase Awareness regarding Network Security

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Banking Security using Honeypot

Advanced Honeypot System for Analysing Network Security

Honeypots and Honeynets Technologies

Using honeypots to study skill level of attackers based on the exploited vulnerabilities in the network

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Linux Network Security

IDS / IPS. James E. Thiel S.W.A.T.

HONEYPOTS The new-way Security Analysis

Countermeasure for Detection of Honeypot Deployment

Honeypots: Catching the Insider Threat

DETECTING AND ANALYZING NETWORK ATTACKS USING VIRTUAL HONEYNET NUR ATIQAH BT. HASAN

HONEYPOTS REVEALED Prepared by:

The Use of Honeynets to Increase Computer Network Security and User Awareness

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Data Collection and Data Analysis in Honeypots and Honeynets

Autonomous Hybrid Honeypot as the Future of Distributed Computer Systems Security

Network Security Controls. CSC 482: Computer Security

Guide to Computer Forensics and Investigations, Second Edition

Honeypots in Network Security

Analyzing Internet Attacks with Honeypots. Ioannis Koniaris

DESIGN OF NETWORK SECURITY PROJECTS USING HONEYPOTS *

Use of Honeypot and IP Tracing Mechanism for Prevention of DDOS Attack

CMPT 471 Networking II

Network Defense Tools

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

CRYPTUS DIPLOMA IN IT SECURITY

Honeypot as the Intruder Detection System

How To Understand And Understand Honeypot

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Honeypots Security on Offense

Εmerging Ways to Protect your Network

Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Advanced Honeypot Architecture for Network Threats Quantification

Protecting and controlling Virtual LANs by Linux router-firewall

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Coimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring

ΕΠΛ 674: Εργαστήριο 5 Firewalls

PROFESSIONAL SECURITY SYSTEMS

Firewalls. Pehr Söderman KTH-CSC

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Definition of firewall

Cisco PIX vs. Checkpoint Firewall

Chapter 9 Firewalls and Intrusion Prevention Systems

Improving network security with Honeypots

Networking Basics and Network Security

Firewalls. Chien-Chung Shen

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

PUBLICATIONS OF PROBLEMS & APPLICATION IN ENGINEERING RESEARCH - PAPER CSEA2012 ISSN: ; e-issn:

Chapter 11 Cloud Application Development

[Kapse*, 4.(10): October, 2015] ISSN: (I2OR), Publication Impact Factor: 3.785

Taxonomy of Hybrid Honeypots

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Honeypot-Architectures using VMI Techniques

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

NETWORK SECURITY HACKS *

Security Technology: Firewalls and VPNs

Avoiding Cyber-attacks to DMZ and Capturing Forensics from Intruders Using Honeypots

Building an Early Warning System in a Service Provider Network

Intrusion Detection System with Deceptive Virtual Host

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

WEB BASED HONEYPOTS NETWORK

8 steps to protect your Cisco router

information security and its Describe what drives the need for information security.

Packet filtering with Linux

The Advantages of a Firewall Over an Interafer

GregSowell.com. Mikrotik Security

HoneyBOT User Guide A Windows based honeypot solution

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

An Efficient Technique to Improve the Data capturing Of Low-Interactive Honeypot Technology

Design & Implementation of Linux based Network Forensic System using Honeynet

Netfilter / IPtables

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

FIREWALL AND NAT Lecture 7a

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Transcription:

Honeypots / honeynets presentatie naam 1

Agenda Honeypots Honeynets Honeywall presentatie naam 2

Traffic Problem: Vast quantities of normal traffic Find suspect bits presentatie naam 3

Honeypot Machine without normal task That is never mentioned So: With Machine that gets no normal traffic Every network packet is suspect Contained environment IDS (snort) and logging presentatie naam 4

Where Anywhere within net No specific place Built like production machine Without function presentatie naam 5

Definition A honeypot is a [sacrificial] security resource whose value lies in being probed, attacked or compromised. Source: Honeypots: : Tracking Hackers", Lance Spitzner,, 2002 (book) presentatie naam 6

History 1990: real systems Deploy unpatched systems in default config on unprotected network ( low-hanging( fruit ) Easy to deploy High-interaction, high-risk Nice reading: Cuckoo s s Egg by Clifford Stoll 1998: service / OS emulation Deception Toolkit, Cyber Cop Sting, KFSensor,, Specter Easy to deploy Low-interaction, low-risk 1999-current: virtual systems HoneyD, Honeywall, Qdetect,, Symantec Decoy Server(! 03/ 03/ 04) 04) Less easy todeploy Mid / high-interaction, mid / high-risk presentatie naam 7

History of the Honeynet Project 1999: Lance Spitzner (Sun) founds Honeynetproject 1999-2001, GenI: PoC,, L3 + (modi( modified IP-headers) 2001-2003, GenII: GenI + bridging (no TTL, harder to detect) 2003: Release of Eeyore Honeywall CD-ROM 2003-current, GenIII: GenII + blocking (Honeywall( Honeywall) 2005: Release of Roo Honeywall CD-ROM future: GenIV refers to next-gen analysis capabilities Honeynet.org is home to the KYE papers. presentatie naam 8

Take care! Machine must look real Outside traffic possible Or clearly fake Capture all traffic analyse Special restrictions on outgoing traffic Everything is allowed Low bandwidth (tarpit( tarpit) presentatie naam 9

Purpose Research Attract blackhats Reveal blackhattactics,, techniques, tools(kye) Reveal motives / intentions(?) Mostly universities, governments, ISPs Protection Deter blackhats from real assets Provide early warning Mostly governments, large enterprises Purpose may determine honeypot functionality and architecture presentatie naam 10

Definitions Definition A honeynet is a network of [high-interaction] honeypots. Definition A honeywall is a layer-2 bridge that is placed in-line between a network and a honeynet,, or between a network and a honeypot,, to uni- or bidirectionally capture, control and analyze attacks. Definition A honeytoken is a honeypot which is not a computer. presentatie naam 11

Functional requirements of a honeypot Data control Data capture Data collection Data analysis presentatie naam 12

Entrapment Applies only to law enforcement Useful only as defence in criminal prosecution Still, most legal authorities consider honeypots non-entrapment Responsibility for everything done from our net presentatie naam 13

Low vs. High interaction Low interaction Burglar alarm Not to learn about new attacks simple High interaction Research Look at new things Anatomy of new exploit Invest resources (manpower) presentatie naam 14

Realness Make things look real Windows services Windows exploits But Solaris network stack presentatie naam 15

How to organise Honeypot more than unpatched host See what happens Containment Check logs Limit outgoing traffic Don t t try this without thought! presentatie naam 16

Honeyd http://www.honeyd.org Framework Config file Scripts for emulated services Internal (python interpreter in honeyd) External (extern process) Stdin+stdout = net, stderr = syslog Acts using nmap fingerprints presentatie naam 17

honeyd presentatie naam 18

Honeyd Run on a single ip address Several services on one address Run as honeynet Several hosts on several addresses Attract traffic Static route in router Have honeyd arp on addresses presentatie naam 19

Containment Honeywall Appliance Based on unix 3 network interfaces Management Data (inside / outside bridge) presentatie naam 20

Sebek: : spying on your intruder Honeynet.org: Sebek is a tool designed for data capture, it attempts to capture most of the attackers activity on the honeypot,, without the attacker knowing it (hopefully), then sends there covered data to a central logging system. Linux kernel module that hooks sys_read() Covertly sends captured data to honeywall (UDP) Recovers keystrokes, uploaded files,, passwords, IRC chats, even if they are encrypted byssh, IPSec or SSL. presentatie naam 21

Sebek presentatie naam 22

Honeynet Requirements Data Control Data Capture http://old.honeynet honeynet.org/alliance/requirements.html presentatie naam 23

Gen II honeynet presentatie naam 24

No Data Control presentatie naam 25

Data Control presentatie naam 26

Honeynet Bridge 129.252.140.3 192.252.140.7 Eth1-NO IP Eth0-NO IP Eth2-129.252.xxx.yyy Administrative Interface SSH Connections Trusted Hosts Internet presentatie naam 27

What is Data Control and Why? Process used to control or contain traffic to a honeynet Upstream liability an attack from one of your honeypots Snort-inline South Florida Honeynet Project presentatie naam 28

Connection Limiting Mode Enemy Data Control Snort-Inline IPTables IPTables Packet No =10 Hub DROP presentatie naam 29

Snort-Inline Drop Mode Enemy Data Control Snort-Inline IPTables IP Tables Ip_queue Drop Hub Snort-Inline Snort Rules=Drop presentatie naam 30

Snort-Inline Replace Mode Enemy Data Control Snort-Inline IPTables Hub IP Tables Ip_queue Snort-Inline Snort Rules=Replace bin/sh->ben/sh presentatie naam 31

Gen II : GEN II Data Control Incorporates a firewall and IDS in one system Provides more stealthy data control Can be implemented for layer 2 bridging or Layer 3 NAT translation Packets passed from internet to honeynet as layer 2 (datalink( datalink) ) layer packets no TTL decrement invisible presentatie naam 32

IPTables for GEN II Honeynet IPTables is a free, stateful,, Open Source firewall for Linux 2.4.x and 2.5.x kernels Each packet header is compared to a set of chains Chains contain rules: ACCEPT, DROP, REJECT, Queue Custom Chains tcphandler udphandler icmphandler presentatie naam 33

Honeywall Bootable CD-ROM Standard ISO distribution GenII Data Capture/Data Control features Sebek Simple User Interface Auto-configure from floppy Customization features Template customization (file system) Run-time boot customization presentatie naam 34

Honeywall Standard intel PC 3 ethernet cards Inside (honeypots( honeypots) Outside (internet) Management Outside -> inside: bridge, no restrictions Inside -> outside: bridge, restrictions Management: hidden from outside world presentatie naam 35

Honeywall - Roo http://www.honeynet.org/tools/cdrom/ presentatie naam 36

Malware catching Nepentes (http://nepenthes.carnivore.it) Malware-collecting mid interaction honeypot Emulates known vulnerabilities Captures malware trying to exploit them Modular architecture First released in 2006 presentatie naam 37

Nepentes presentatie naam 38

Real world uses Surfnet IDS Qnet Honeypot in sensor Quarantaine net sensor Contain misbehaving host Louis mail relay Try again later presentatie naam 39

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information