honeypots

advertisement

http://project.honeynet.org/misc/project.html

Use of Honey-pots to Detect

Exploited Systems Across Large

Enterprise Networks

Ashish Gupta

Network Security

May 2004

Overview

• Motivation

• What are Honeypots?

– Gen I and Gen II

• The GeorgiaTech Honeynet System

– Hardware/Software

– IDS

– Logging and review

• Some detected Exploitations

– Worm exploits

– Sage of the Warez Exploit

• Words of Wisdom

• Conclusions

Why Honeynets ?

An additional layer of security

Security: A serious Problem

Firewall

A Traffic Cop

Problems:

Internal Threats

Virus Laden Programs

IDS

Detection and Alert

Problems:

False Positives

False Negatives

The Security Problem

Firewall

HoneyNets

IDS

An additional layer of security

Properties

• Captures all inbound/outbound data

• Standard production systems

• Intended to be compromised

• Data Capture

– Stealth capturing

– Storage location – away from the honeynet

• Data control

– Protect the network from honeynets

Gen I

Good for simpler attacks

Unsophisticated targets

Limited Data Control

Two types

Gen II

Sophisticated Data Control :

Stealth Fire-walling

Gen I chosen

CONFIG

GATech Honeynet System

Huge network

4 TB data processing/day

Sub-standard systems

Open Source Software

Simple Firewall Data

Control

IDS

Session 1

Invisible SNORT Monitor

Promiscuous mode

Two SNORT Sessions

Signature Analysis Monitoring

Session 2 Packet Capture DATA CAPTURE

Data Analysis

SNORT

Requires human resources

One hour daily !

Forensic Analysis

DATA CAPTURE

All packet logs stored

Ethereal used

Detected Exploitations

16 compromises detected

Worm attacks Hacker Attacks

DETECTING WORM EXPLOITS

Honey Net traffic is Suspicious

Heuristic for worm detection:

Frequent port scans

Specific OS-vulnerability monitoring possible

Captured traffic helps signature development

SAGA of the WAREZ Hacker

Helped locate a compromised host

Honeynet

Very difficult to detect otherwise !

IIS Exploit  Warez Server

+ Backdoor

Words of Wisdom

• Start small

• Good relationships help

• Focus on Internal attacks

• Don’t advertise

• Be prepared to spend time

Conclusion

• Helped locate compromised systems

• Can boost IDS research

– Data capture

• Distributed Honey nets ?

• Hunting down Honeypots

– http://www.send-safe.com/honeypot-hunter.php

Discussion

• The usefulness of the extra layer ?

• Dynamic HoneyNets

• Comparison with IDS: are these a replacement or complementary ?

HONEY

NET

IDS

IDS vs HoneyNet

• IDS – primary function is detection and alerting

• Honeynets – use IDS to detect and alert

– but nothing is done to control the threat

– Primary intent is to log and capture effects and activities of the threat

Honeynets do not protect the network – they have protection as a benefit, not intent

Download