HoneyNets

Introduction
Definition of a Honeynet
Concept of Data Capture and Data Control
Generation I vs. Generation II Honeynets
Description of the Georgia Tech Campus Network
Current Vulnerabilities on the Internet

Shortcomings Associated with Firewalls
1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability.
2. The firewall at the network interface does not protect against internal threats.
3. The firewall cannot protect against the transfer of virus–laden files and programs

Shortcomings Associated with Intrusion Detection Systems
Increase Complexity of Security Management of Network
High Level of False Positive and False Negative Alerts
Must Know Signature or Anomoly Detection Pattern

Definition of a Honeynet
Network Established Behind a Reverse Firewall
Captures All In-Bound and Out-Bound Traffic
Any Type of System
Network is Intended To Be Compromised
All Honeynet traffic is suspicious

Data Capture and Data Control
Data Capture
Collect all information entering and leaving the Honeynet covertly for future analysis
Data Control
Covertly protect other networks from being attacked and compromised by computers on the Honeynet

Generation I vs. Generation II
GEN I Honeynet
Simple Methodology, Limited Capability
Highly effective at detecting automated attacks
Use Reverse Firewall for Data Control
Can be fingerprinted by a skilled hacker
Runs at OSI Layer 3
GEN II Honeynet
More Complex to Deploy and Maintain
Examine Outbound Data and make determination to block, pass, or modify data
Runs at OSI Layer 2

Georgia Tech Campus Network
15000 Students, 5000 Staff, 69 Departments
30000-35000 networked computers on campus
Average data throughput 600Mbps/4 terabytes per day
NO FIREWALL BETWEEN CAMPUS & INTERNET!
Why? Requirement for Academic Freedom, high throughput
However, individual enclaves within Georgia Tech use firewalls
IDS is run at campus gateway
Out of band monitoring and follow-on investigation

Establishment of the Honeynet on the Georgia Tech Campus
Established in Summer of 2002
Uses Open Source Software
Initially Established As One Honeynet Machine behind the firewall
IP Address Range Provided by Georgia Tech Office of Information Technology (OIT)

Georgia Tech Honeynet

Hardware and Software
No Requirement for State of the Art Equipment (Surplus Equipment)
No Production Systems
Minimum Traffic
Use Open Source Software (SNORT, Ethereal, MySQL DB, ACID)
Use Reverse Firewall Script Developed by Honeynet.org

Intrusion Detection System Used with HoneyNet
SNORT
Open Source
Signature-Based, with Anomaly-Based Plug-in Available
Can Write Customized Signatures
Run Two Separate SNORT Sessions
One Session to Check Against Signature Database
One Session to Capture All Inbound/Outbound Traffic

Analysis Console for Intrusion Detection (ACID)

Logging and Review of Data
Honeynet Data is stored in two separate locations
Alert Data is stored in SQL database
Packet Capture Data is stored in a daily archive file
Data Analysis is a time consuming process In our Experience:
One hour/day to analyze traffic
One hour of attack traffic can result up to one week of analysis

Ethereal Analysis Tool

Exploitations Detected on the Georgia Tech Honeynet
36 possible exploited machines have been detected at Georgia Tech in previous 9 months (through June 2003)
A report is made to OIT on each suspected compromise

Identification of a System with a Compromised Password
Previously Compromised Honeynet Computer Continued to Operate as Warez Server
Another Georgia Tech Computer Connected to the Warez Server
Investigation Revealed that Password had been Compromised on Second Georgia Tech Computer

Detection of Worm Type Exploits
GEN I Honeynet Well-Suited to Detect Worm Type Exploits
Repeated Scans targeting specific ports
Analyze captured data for time lapses
Ability to Deploy Specific Operating System on Honeynet

Exploitation Pattern of Typical Internet Worm
Target Vulnerabilities on Specific Operating Systems
Localized Scanning to Propagate (Code Red)
3/8 of time within same /16 network
1/2 of time within same /8 network
1/8 of time random address
Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts

Georgia Tech Honeynet Gen II

Initial Observations of Gen II Honeynet
Configuration is more complex than Gen I
Must use variants of Linux 2.4 kernel in order to run Sebek keystroke logger capability
Data must continue to be monitored on a daily basis

Honeynet Portscan Activity
Date Public: 7/24/02 Date Attack: 1/25/03

Conclusions on HoneyNets
Honeynet Assists in Maintaining Network Security
Provides Platform for Research in Information Assurance and Intrusion Detection

HoneyNets

by Sandra4211 on May 04, 2010

Accessibility

Upload Details

Usage Rights

Statistics

HoneyNets Presentation Transcript