HoneyNets
Introduction <ul><li>Definition of a Honeynet </li></ul><ul><li>Concept of Data Capture and Data Control </li></ul><ul><li...
Shortcomings Associated with Firewalls  <ul><li>1. The firewall cannot protect against attacks that bypass it, such as a d...
Shortcomings Associated with Intrusion Detection Systems <ul><li>Increase Complexity of Security Management of Network </l...
Definition of a Honeynet <ul><li>Network Established Behind a Reverse Firewall </li></ul><ul><li>Captures All In-Bound and...
Data Capture and Data Control <ul><li>Data Capture </li></ul><ul><ul><li>Collect all information entering and leaving the ...
Generation I vs. Generation II <ul><li>GEN I Honeynet </li></ul><ul><ul><li>Simple Methodology, Limited Capability </li></...
Georgia Tech Campus Network <ul><li>15000 Students, 5000 Staff, 69 Departments  </li></ul><ul><li>30000-35000 networked co...
Establishment of the Honeynet on the Georgia Tech Campus <ul><li>Established in Summer of 2002 </li></ul><ul><li>Uses Open...
Georgia Tech Honeynet
Hardware and Software <ul><li>No Requirement for State of the Art Equipment (Surplus Equipment) </li></ul><ul><li>No Produ...
Intrusion Detection System Used with HoneyNet  <ul><li>SNORT </li></ul><ul><ul><li>Open Source </li></ul></ul><ul><ul><li>...
Analysis Console for Intrusion Detection (ACID)
Logging and Review of Data <ul><li>Honeynet Data is stored in two separate locations </li></ul><ul><ul><li>Alert Data is s...
Ethereal Analysis Tool
Exploitations Detected on the Georgia Tech Honeynet <ul><li>36 possible exploited machines have been detected at Georgia T...
Identification of a System with a Compromised Password <ul><li>Previously Compromised Honeynet Computer Continued to Opera...
Detection of Worm Type Exploits <ul><li>GEN I Honeynet Well-Suited to Detect Worm Type Exploits </li></ul><ul><ul><li>Repe...
Exploitation Pattern of Typical Internet Worm <ul><li>Target Vulnerabilities on Specific Operating Systems </li></ul><ul><...
Georgia Tech Honeynet Gen II
Initial Observations of Gen II Honeynet <ul><li>Configuration is more complex than Gen I </li></ul><ul><li>Must use varian...
Honeynet Portscan Activity <ul><li>Date Public: 7/24/02  Date Attack: 1/25/03 </li></ul>
Honeynet Portscan Activity <ul><li>Date Public: 7/16/03  Date Attack: 8/11/03 </li></ul>
Honeynet Portscan Activity <ul><li>Date Public: 8/15/2003  Date Attack: 8/22/03  </li></ul>
Conclusions on HoneyNets <ul><li>Honeynet Assists in Maintaining Network Security </li></ul><ul><li>Provides Platform for ...
Upcoming SlideShare
Loading in...5
×

HoneyNets

443

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
443
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

HoneyNets

  1. 1. HoneyNets
  2. 2. Introduction <ul><li>Definition of a Honeynet </li></ul><ul><li>Concept of Data Capture and Data Control </li></ul><ul><li>Generation I vs. Generation II Honeynets </li></ul><ul><li>Description of the Georgia Tech Campus Network </li></ul><ul><li>Current Vulnerabilities on the Internet </li></ul>
  3. 3. Shortcomings Associated with Firewalls <ul><li>1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability. </li></ul><ul><li>2. The firewall at the network interface does not protect against internal threats. </li></ul><ul><li>3. The firewall cannot protect against the transfer of virus–laden files and programs </li></ul>
  4. 4. Shortcomings Associated with Intrusion Detection Systems <ul><li>Increase Complexity of Security Management of Network </li></ul><ul><li>High Level of False Positive and False Negative Alerts </li></ul><ul><li>Must Know Signature or Anomoly Detection Pattern </li></ul>
  5. 5. Definition of a Honeynet <ul><li>Network Established Behind a Reverse Firewall </li></ul><ul><li>Captures All In-Bound and Out-Bound Traffic </li></ul><ul><li>Any Type of System </li></ul><ul><li>Network is Intended To Be Compromised </li></ul><ul><li>All Honeynet traffic is suspicious </li></ul>
  6. 6. Data Capture and Data Control <ul><li>Data Capture </li></ul><ul><ul><li>Collect all information entering and leaving the Honeynet covertly for future analysis </li></ul></ul><ul><li>Data Control </li></ul><ul><ul><li>Covertly protect other networks from being attacked and compromised by computers on the Honeynet </li></ul></ul>
  7. 7. Generation I vs. Generation II <ul><li>GEN I Honeynet </li></ul><ul><ul><li>Simple Methodology, Limited Capability </li></ul></ul><ul><ul><li>Highly effective at detecting automated attacks </li></ul></ul><ul><ul><li>Use Reverse Firewall for Data Control </li></ul></ul><ul><ul><li>Can be fingerprinted by a skilled hacker </li></ul></ul><ul><ul><li>Runs at OSI Layer 3 </li></ul></ul><ul><li>GEN II Honeynet </li></ul><ul><ul><li>More Complex to Deploy and Maintain </li></ul></ul><ul><ul><li>Examine Outbound Data and make determination to block, pass, or modify data </li></ul></ul><ul><ul><li>Runs at OSI Layer 2 </li></ul></ul>
  8. 8. Georgia Tech Campus Network <ul><li>15000 Students, 5000 Staff, 69 Departments </li></ul><ul><li>30000-35000 networked computers on campus </li></ul><ul><li>Average data throughput 600Mbps/4 terabytes per day </li></ul><ul><li>NO FIREWALL BETWEEN CAMPUS & INTERNET! </li></ul><ul><ul><li>Why? Requirement for Academic Freedom, high throughput </li></ul></ul><ul><ul><li>However, individual enclaves within Georgia Tech use firewalls </li></ul></ul><ul><li>IDS is run at campus gateway </li></ul><ul><ul><li>Out of band monitoring and follow-on investigation </li></ul></ul>
  9. 9. Establishment of the Honeynet on the Georgia Tech Campus <ul><li>Established in Summer of 2002 </li></ul><ul><li>Uses Open Source Software </li></ul><ul><li>Initially Established As One Honeynet Machine behind the firewall </li></ul><ul><li>IP Address Range Provided by Georgia Tech Office of Information Technology (OIT) </li></ul>
  10. 10. Georgia Tech Honeynet
  11. 11. Hardware and Software <ul><li>No Requirement for State of the Art Equipment (Surplus Equipment) </li></ul><ul><li>No Production Systems </li></ul><ul><li>Minimum Traffic </li></ul><ul><li>Use Open Source Software (SNORT, Ethereal, MySQL DB, ACID) </li></ul><ul><li>Use Reverse Firewall Script Developed by Honeynet.org </li></ul>
  12. 12. Intrusion Detection System Used with HoneyNet <ul><li>SNORT </li></ul><ul><ul><li>Open Source </li></ul></ul><ul><ul><li>Signature-Based, with Anomaly-Based Plug-in Available </li></ul></ul><ul><ul><li>Can Write Customized Signatures </li></ul></ul><ul><li>Run Two Separate SNORT Sessions </li></ul><ul><ul><li>One Session to Check Against Signature Database </li></ul></ul><ul><ul><li>One Session to Capture All Inbound/Outbound Traffic </li></ul></ul>
  13. 13. Analysis Console for Intrusion Detection (ACID)
  14. 14. Logging and Review of Data <ul><li>Honeynet Data is stored in two separate locations </li></ul><ul><ul><li>Alert Data is stored in SQL database </li></ul></ul><ul><ul><li>Packet Capture Data is stored in a daily archive file </li></ul></ul><ul><li>Data Analysis is a time consuming process In our Experience: </li></ul><ul><ul><li>One hour/day to analyze traffic </li></ul></ul><ul><ul><li>One hour of attack traffic can result up to one week of analysis </li></ul></ul>
  15. 15. Ethereal Analysis Tool
  16. 16. Exploitations Detected on the Georgia Tech Honeynet <ul><li>36 possible exploited machines have been detected at Georgia Tech in previous 9 months (through June 2003) </li></ul><ul><li>A report is made to OIT on each suspected compromise </li></ul>
  17. 17. Identification of a System with a Compromised Password <ul><li>Previously Compromised Honeynet Computer Continued to Operate as Warez Server </li></ul><ul><li>Another Georgia Tech Computer Connected to the Warez Server </li></ul><ul><li>Investigation Revealed that Password had been Compromised on Second Georgia Tech Computer </li></ul>
  18. 18. Detection of Worm Type Exploits <ul><li>GEN I Honeynet Well-Suited to Detect Worm Type Exploits </li></ul><ul><ul><li>Repeated Scans targeting specific ports </li></ul></ul><ul><ul><li>Analyze captured data for time lapses </li></ul></ul><ul><li>Ability to Deploy Specific Operating System on Honeynet </li></ul>
  19. 19. Exploitation Pattern of Typical Internet Worm <ul><li>Target Vulnerabilities on Specific Operating Systems </li></ul><ul><li>Localized Scanning to Propagate (Code Red) </li></ul><ul><ul><li>3/8 of time within same /16 network </li></ul></ul><ul><ul><li>1/2 of time within same /8 network </li></ul></ul><ul><ul><li>1/8 of time random address </li></ul></ul><ul><li>Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts </li></ul>
  20. 20. Georgia Tech Honeynet Gen II
  21. 21. Initial Observations of Gen II Honeynet <ul><li>Configuration is more complex than Gen I </li></ul><ul><li>Must use variants of Linux 2.4 kernel in order to run Sebek keystroke logger capability </li></ul><ul><li>Data must continue to be monitored on a daily basis </li></ul>
  22. 22. Honeynet Portscan Activity <ul><li>Date Public: 7/24/02 Date Attack: 1/25/03 </li></ul>
  23. 23. Honeynet Portscan Activity <ul><li>Date Public: 7/16/03 Date Attack: 8/11/03 </li></ul>
  24. 24. Honeynet Portscan Activity <ul><li>Date Public: 8/15/2003 Date Attack: 8/22/03 </li></ul>
  25. 25. Conclusions on HoneyNets <ul><li>Honeynet Assists in Maintaining Network Security </li></ul><ul><li>Provides Platform for Research in Information Assurance and Intrusion Detection </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×