This document discusses KFSensor, a honeypot and intrusion detection system. It provides an overview of honeypot technology, the components and features of KFSensor, and how it was tested. KFSensor is a commercial low interaction honeypot solution that simulates vulnerable Windows services to detect and study hackers. It has a GUI management console for configuration and monitoring attacks in graphical formats.
3. Increasing security threats with proliferation of
internet
Network security – Firewall, IDS, antivirus.
Traditional approach – defensive
Today – offensive approach
Honeypot
Introduction
4. Honeypot Technology
Attract and detect hackers and worms by
simulating vulnerable system services and
trojans.
By acting as a decoy server it can divert attacks
from critical systems and provide a higher level
of information that can be achieved by using
firewalls and NIDS alone.
A honeypot is security resource whose value -
probed, attacked, or compromised
We want attackers to probe and exploit the
virtual system running emulated services
6. Advantage
Minimal resources required
GUI based management console - extensive
documentation and low maintenance
Disadvantage
Limited View: Can’t capture attacks against
other system
7. Types of Honeypot
Interaction: level of activity Honeypot allows with attacker
Low Interaction
Emulated services, easy to deploy and maintain, less risk
Designed to capture only known attack
High Interaction
Setup real services and provides interaction with OS
More information, no assumption made give full open environments.
Can use the real honeypot to attack others.
8. KFSensor
Commercial low interaction honeypot solution
Windows OS
Easy configuration and flexible
Product detail:
Software: KFSensor
Version: 2.2.1
License: Evaluation (14 days trial)
Vendor: Key Focus
Downloaded Site: http://www.keyfocus.net/kfsensor/
9. Installations
Download the application from the website
To install login as ADMINISTRATOR
C:kfsensorlogs – XML files
Running the KFSensor server – as daemon –
windows service. [kfsnserve.exe]
Open up the KFSensor monitor - GUI
10. Components of KFSensor
KFSensor Server
Performs core functionality, outsider
interacts with the server, doesn’t have the GUI.
KFSensor Monitor
Interprets all the data and alerts captured by
server in graphical form.
11.
12. Features
File Menu
Export [HTML, XML, TSV or CSV ], Service
View Menu
Ports View, Visitors View
Editing Scenarios
Editing Listens, Edit Rules, Sim Server
14. Listen On:
Name : Identifies the listen when connection is made to the
particular specification
Protocol: Choice between UDP or TCP
Port
Bind Address: Should specify the IP address it binds too
Action:
Action Type: The action to performed once the connection is made
by the outsider
Severity: define the level of severity generated by the event to alert
the admin
Time out : value in second for server to wait until it closes the
connection
Editing Listens
18. Conclusion
Good user interface
Easy to configure emulation services
Flexible
Minimal risk
Limited to only minimal transactions
Honeypot
Can not replace the existing system. Work better
along with it.