Your SlideShare is downloading. ×
HoneyNets
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

HoneyNets

410
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
410
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. HoneyNets
  • 2. Introduction
    • Definition of a Honeynet
    • Concept of Data Capture and Data Control
    • Generation I vs. Generation II Honeynets
    • Description of the Georgia Tech Campus Network
    • Current Vulnerabilities on the Internet
  • 3. Shortcomings Associated with Firewalls
    • 1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability.
    • 2. The firewall at the network interface does not protect against internal threats.
    • 3. The firewall cannot protect against the transfer of virus–laden files and programs
  • 4. Shortcomings Associated with Intrusion Detection Systems
    • Increase Complexity of Security Management of Network
    • High Level of False Positive and False Negative Alerts
    • Must Know Signature or Anomoly Detection Pattern
  • 5. Definition of a Honeynet
    • Network Established Behind a Reverse Firewall
    • Captures All In-Bound and Out-Bound Traffic
    • Any Type of System
    • Network is Intended To Be Compromised
    • All Honeynet traffic is suspicious
  • 6. Data Capture and Data Control
    • Data Capture
      • Collect all information entering and leaving the Honeynet covertly for future analysis
    • Data Control
      • Covertly protect other networks from being attacked and compromised by computers on the Honeynet
  • 7. Generation I vs. Generation II
    • GEN I Honeynet
      • Simple Methodology, Limited Capability
      • Highly effective at detecting automated attacks
      • Use Reverse Firewall for Data Control
      • Can be fingerprinted by a skilled hacker
      • Runs at OSI Layer 3
    • GEN II Honeynet
      • More Complex to Deploy and Maintain
      • Examine Outbound Data and make determination to block, pass, or modify data
      • Runs at OSI Layer 2
  • 8. Georgia Tech Campus Network
    • 15000 Students, 5000 Staff, 69 Departments
    • 30000-35000 networked computers on campus
    • Average data throughput 600Mbps/4 terabytes per day
    • NO FIREWALL BETWEEN CAMPUS & INTERNET!
      • Why? Requirement for Academic Freedom, high throughput
      • However, individual enclaves within Georgia Tech use firewalls
    • IDS is run at campus gateway
      • Out of band monitoring and follow-on investigation
  • 9. Establishment of the Honeynet on the Georgia Tech Campus
    • Established in Summer of 2002
    • Uses Open Source Software
    • Initially Established As One Honeynet Machine behind the firewall
    • IP Address Range Provided by Georgia Tech Office of Information Technology (OIT)
  • 10. Georgia Tech Honeynet
  • 11. Hardware and Software
    • No Requirement for State of the Art Equipment (Surplus Equipment)
    • No Production Systems
    • Minimum Traffic
    • Use Open Source Software (SNORT, Ethereal, MySQL DB, ACID)
    • Use Reverse Firewall Script Developed by Honeynet.org
  • 12. Intrusion Detection System Used with HoneyNet
    • SNORT
      • Open Source
      • Signature-Based, with Anomaly-Based Plug-in Available
      • Can Write Customized Signatures
    • Run Two Separate SNORT Sessions
      • One Session to Check Against Signature Database
      • One Session to Capture All Inbound/Outbound Traffic
  • 13. Analysis Console for Intrusion Detection (ACID)
  • 14. Logging and Review of Data
    • Honeynet Data is stored in two separate locations
      • Alert Data is stored in SQL database
      • Packet Capture Data is stored in a daily archive file
    • Data Analysis is a time consuming process In our Experience:
      • One hour/day to analyze traffic
      • One hour of attack traffic can result up to one week of analysis
  • 15. Ethereal Analysis Tool
  • 16. Exploitations Detected on the Georgia Tech Honeynet
    • 36 possible exploited machines have been detected at Georgia Tech in previous 9 months (through June 2003)
    • A report is made to OIT on each suspected compromise
  • 17. Identification of a System with a Compromised Password
    • Previously Compromised Honeynet Computer Continued to Operate as Warez Server
    • Another Georgia Tech Computer Connected to the Warez Server
    • Investigation Revealed that Password had been Compromised on Second Georgia Tech Computer
  • 18. Detection of Worm Type Exploits
    • GEN I Honeynet Well-Suited to Detect Worm Type Exploits
      • Repeated Scans targeting specific ports
      • Analyze captured data for time lapses
    • Ability to Deploy Specific Operating System on Honeynet
  • 19. Exploitation Pattern of Typical Internet Worm
    • Target Vulnerabilities on Specific Operating Systems
    • Localized Scanning to Propagate (Code Red)
      • 3/8 of time within same /16 network
      • 1/2 of time within same /8 network
      • 1/8 of time random address
    • Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts
  • 20. Georgia Tech Honeynet Gen II
  • 21. Initial Observations of Gen II Honeynet
    • Configuration is more complex than Gen I
    • Must use variants of Linux 2.4 kernel in order to run Sebek keystroke logger capability
    • Data must continue to be monitored on a daily basis
  • 22. Honeynet Portscan Activity
    • Date Public: 7/24/02 Date Attack: 1/25/03
  • 23. Honeynet Portscan Activity
    • Date Public: 7/16/03 Date Attack: 8/11/03
  • 24. Honeynet Portscan Activity
    • Date Public: 8/15/2003 Date Attack: 8/22/03
  • 25. Conclusions on HoneyNets
    • Honeynet Assists in Maintaining Network Security
    • Provides Platform for Research in Information Assurance and Intrusion Detection