2. 課程內容:
• 課程目標:
課程介紹Honeynet
Project
用於國際部屬的GDH
2
架構,並帶領學員實現學
習如何利用誘捕網路誘捕網路攻擊與惡意程式。
• 課程內容:
– Hands-‐on
training
environment
– Honeypot
and
Honeynet
Technology
– Hand-‐On
:
Honeywall
ROO
v.1.4
Introduc0on,
Install
and
Configure
– Hand-‐On
:
Low
interac0on
honeypots
(Nepenthes)
– Hand-‐
On
:
High
interac0on
honeypots
and
Sebek
– Incident
analysis
2
3. Thanks
a
lot
…
• The
training
materials
refer
to
“Hands
On
with
the
Honeywall
and
Virtual
Honeynets”
by
David
Watson
from
FIRST
TC
02/12/2009
in
Kuala
Lumpur.
3
4. Goals
for
training
course
• Learn
about
honeynet
technologies
in
a
safe
environment
• Gain
an
apprecia0on
for
how
tools
can
help
in
opera0onal
security
and
incident
response
• Ask
lots
of
ques0ons:
this
is
a
hands-‐on
interac0ve
session,
so
please
say
if
stuck
4
5. Your
Experience?
• Command
line
UNIX
/
Linux?
• Control
and
operate
in
VMWare
Server?
• IP
networking?
• Packet
sniffing
and
network
forensics?
• Malware
collec0on
and
binary
analysis
• Using
Honeypots
and
honeynets
5
6. Training
Plaborm
• Everyone
has
the
same
training
environment
– WinXP
and
VMWare
Server
1.0.9
– IP
Address
(140.110.126.x)(eth0)
–
the
desktop
PCs
– Private
VM
LAN
(vmnet8)
–
your
personal
NATed
VMs
–
Prebuilt
VMs
• Roo
Honeywall
v1.4
• Nepenthes
v0.2.2
on
Ubuntu
Desktop
9.10
Honeypot
• Ubuntu
Server
LAMP
+
Sebek
v3
Honeypot
• BackTrack
agack
host
• Windows
XP
Professional
SP3
Honeypot
6
9. Honeypot
and
Honeynet
• A
honeypot
is
an
informa0on
system
resource
whose
value
lies
in
unauthorized
or
illicit
use
of
that
resource
• Has
no
produc0on
value,
anything
going
to
or
from
a
honeypot
is
likely
a
probe,
agack
or
compromise
• Primary
value
to
most
organiza0ons
is
informa0on
• A
honeynet
is
a
network
of
honeypots
9
10. Honeypot
and
Honeynet
(Cont.)
• Honeypot
General
Purpose
:
– Designed
opera0on
systems
and
services
around
your
networks
to
be
probed
and
hacked.
– All
data
collected
is
of
high
value
and
unpolluted
• What
is
Honeypot
?
(單點)
– 模擬特定服務/系統弱點/特定功能,誘捕駭客攻擊
– 具資料捕捉機制,可收集攻擊資料,提供分
析
– 具安全控管機制,避免被當作跳板。
10
11. Honeypot
and
Honeynet
(Cont.)
• What
is
a
Honeynet
?
– Include
Honeywall
/
Low-‐Interac0on
/
High-‐interac0on
honeypot
– It
is
an
architecture,
not
a
product
or
soiware
– Populate
with
live
systems
– Once
compromised,
data
is
collected
to
learn
the
tools,
tac0cs,
and
mo0ves
of
the
blackhat
community.
• Value
of
Honeynet
– Research
:
Iden0fy
new
tools
and
new
tac0cs,
Profiling
blackhats
– Early
warning
and
predic0on
– Incident
Response
/
Forensics
– Self-‐defense
11
12. Honeypot
and
Honeynet
Type
• Low-‐interac0on
(LI)
– Emulates
services,
applica0ons,
and
OS’s
– Low
risk
and
easy
to
deploy/maintain,
but
– capture
limited
informa0on
• High-‐interac0on
(HI)
– Real
services,
applica0ons,
and
OS’s
– Capture
extensive
informa0on,
but
higher
risk
and
0me
intensive
to
maintain
12
35. Honeywall
overview
• Bootable
CentOS
5.x
CD-‐ROM
• U0lizes
exis0ng
Honeynet
data
control
and
data
capture
technologies
• Iptables
(custom
Honeywall
configura0on
via
rc.firewall)
• Snort
+
Snort-‐inline
•
TCP
rate
limi0ng
+
Sebek
client
• Menu-‐driven
and
web
based
configura0on
interfaces
for
easy
remote
configura0on
• Single
configura0on
file
for
interac0ve
or
35
37. Data
Control
–
Snort_inline與iptables
INTERNET
Honeywall
無設限條件
連線限制 過濾攻擊行為封包
Sendmail Mail
Server
Oracle DataBase
Server
DNS
Server
MS-SQL DataBase
Server
Apache Web
Server
Honeynet
37
38. Data
Control
–
Snort_inline與iptables
eth0
Iptables
eth1
Snort_inline
Honeywall
Drop
Replace
38
讓駭客能夠進來Honeynet
進行攻擊,但限制其出去
的行為