http://project.honeynet.org/misc/project.html
Ashish Gupta
Network Security
May 2004
Overview
• Motivation
• What are Honeypots?
– Gen I and Gen II
• The GeorgiaTech Honeynet System
– Hardware/Software
– IDS
– Logging and review
• Some detected Exploitations
– Worm exploits
– Sage of the Warez Exploit
• Words of Wisdom
• Conclusions
An additional layer of security
Security: A serious Problem
Firewall
A Traffic Cop
Problems:
Internal Threats
Virus Laden Programs
IDS
Detection and Alert
Problems:
False Positives
False Negatives
The Security Problem
Firewall
HoneyNets
IDS
An additional layer of security
Properties
• Captures all inbound/outbound data
• Standard production systems
• Intended to be compromised
• Data Capture
– Stealth capturing
– Storage location – away from the honeynet
• Data control
– Protect the network from honeynets
Gen I
Good for simpler attacks
Unsophisticated targets
Limited Data Control
Two types
Gen II
Sophisticated Data Control :
Stealth Fire-walling
Gen I chosen
CONFIG
GATech Honeynet System
Huge network
4 TB data processing/day
Sub-standard systems
Open Source Software
Simple Firewall Data
Control
IDS
Session 1
Invisible SNORT Monitor
Promiscuous mode
Two SNORT Sessions
Signature Analysis Monitoring
Session 2 Packet Capture DATA CAPTURE
Data Analysis
SNORT
Requires human resources
One hour daily !
Forensic Analysis
DATA CAPTURE
All packet logs stored
Ethereal used
Detected Exploitations
16 compromises detected
Worm attacks Hacker Attacks
DETECTING WORM EXPLOITS
Honey Net traffic is Suspicious
Heuristic for worm detection:
Frequent port scans
Specific OS-vulnerability monitoring possible
Captured traffic helps signature development
SAGA of the WAREZ Hacker
Helped locate a compromised host
Honeynet
Very difficult to detect otherwise !
IIS Exploit Warez Server
+ Backdoor
Words of Wisdom
• Start small
• Good relationships help
• Focus on Internal attacks
• Don’t advertise
• Be prepared to spend time
Conclusion
• Helped locate compromised systems
• Can boost IDS research
– Data capture
• Distributed Honey nets ?
• Hunting down Honeypots
– http://www.send-safe.com/honeypot-hunter.php
Discussion
• The usefulness of the extra layer ?
• Dynamic HoneyNets
• Comparison with IDS: are these a replacement or complementary ?
HONEY
NET
IDS
IDS vs HoneyNet
• IDS – primary function is detection and alerting
• Honeynets – use IDS to detect and alert
– but nothing is done to control the threat
– Primary intent is to log and capture effects and activities of the threat
Honeynets do not protect the network – they have protection as a benefit, not intent