kfsensor vs honeyd l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
KFSensor Vs Honeyd PowerPoint Presentation
Download Presentation
KFSensor Vs Honeyd

Loading in 2 Seconds...

play fullscreen
1 / 23

KFSensor Vs Honeyd - PowerPoint PPT Presentation


  • 513 Views
  • Uploaded on

Sunil Gurung [60-475] Security and Privacy on the Internet. KFSensor Vs Honeyd. Honeypot System. Agenda Introduction Honeypot Technology KFSensor Honeyd Features Tests Conclusion. Introduction Good Defence is Good Offence Network security – Firewall, IDS, antivirus.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'KFSensor Vs Honeyd' - clodia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
kfsensor vs honeyd

Sunil Gurung

[60-475] Security and Privacy on the Internet

KFSensor Vs Honeyd

Honeypot System

slide2
Agenda
  • Introduction
  • Honeypot Technology
  • KFSensor
  • Honeyd
  • Features
  • Tests
  • Conclusion
slide3
Introduction
  • Good Defence is Good Offence
  • Network security – Firewall, IDS, antivirus.
  • Traditional approach – defensive
  • Today – offensive approach
  • Honeypot solutions
slide4
Honeypot Technology
  • “A honeypot is security resource whose value lies in being probed, attacked, or compromised.” - Lance Spitzner
  • we want attackers to probe and exploit the virtual system running emulated services.
  • System no production value, no traffic, most connection probe, attack or compromised.
  • Complements the traditional security tools.
slide5

Fig:

The basic setup up of the honeypot system. In the figure two KFSensor are configured production honeypots.

Figure taken from “ User Manual of KFSensor – Help “

slide6
TYPES of ATTACKERS
  • Script Kiddies
  • Amateurs, don’t care about the host
  • Educate the inadequacy of the security policy
  • Blackhat
  • Focus on high value system, more experienced
  • More dangerous and operate silently
slide7
Types of Honeypot

Interaction: level of activity Honeypot allows with attacker

  • Low Interaction

Emulated services, easy to deploy and maintain, less risk.

Designed to capture only known attack

  • High Interaction

Setup real services and provides interaction with OS

More information, no assumption made give full open environments.

Can use the real honeypot to attack others.

Symantec Decoy Server, Honeynet

slide8
KFSensor
  • Commercial low interaction honeypot solution
  • Windows OS
  • Preconfigured services: ssh, http, ftp etc
  • Easy configuration and flexible
  • Components of KFSensor
  • Scenarios, Sim Server – standard and banner
slide10
Honeyd
  • Low interaction, open source
  • Developed by Niels Provos of U of M
  • Features: service emulation and IP stack of OS
  • Product Detail
  • Software: honeyd
  • Version: honeyd 0.8
  • License: open source
  • Download site: http://honeyd.org
  • OS: Windows, Linux, Unix – Solaris
slide11
Installation
  • ARPD, Libraries Dependencies
  • Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz
  • Honeyd package

Installation process:

# tar -zvxf libevent-0.8a.tar.gz

Compile the libevent:

# cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a)

#. /configure

# make

# make install

slide12
Major Differences between the two software
  • IP address assignment
  • Listening port
  • OS emulation
  • Open source advantage
  • Financial value
slide14
How it works
  • Configuration File
  • Nmap.print & Xprobe2
  • Script for running the services
slide15
Explanation of Configuration file

# Example of a simple host template and its binding

annotate "AIX 4.0 - 4.2" fragment old

create template

set template personality "AIX 4.0 - 4.2"

add template tcp port 80 open

add template tcp port 22 open

add template tcp port 23 open

set template default tcp action reset

bind 192.168.1.80 template

slide16
Nmap.print and Xprobe2

# Contributed by Felix Lindner (flindner@gmx.de)

Fingerprint AXENT Raptor Firewall running on Windows NT

TSeq(Class=TR)

T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)

T2(Resp=N)

T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)

T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T7(Resp=N)

PU(Resp=N)

slide17
Test Environment
  • Inside the router

1) University network

2) Home network: putting the honeypot system inside the router [192.168.0.102]

Various test performed:

slide18
Testing Honeyd

IP of honeypot: 192.168.1.122

IP of host running the honeypot: 192.168.1.121

  • Running ARPD

#arpd 192.168.0.0\24

2) Running Honeyd

#honeyd –d –f config.sample –p nmap.print –x xprobe2 –l \”Log File” –I 2

slide21
Other possible test (Network Topology)

route entry 10.0.0.1

route 10.0.0.1 link 10.0.0.0/24

route 10.0.0.1 add net 10.1.0.0/16 10.1.0.1 latency 55ms loss 0.1

route 10.0.0.1 add net 10.2.0.0/16 10.2.0.1 latency 20ms loss 0.1

route 10.1.0.1 link 10.1.0.0/24

route 10.2.0.1 link 10.2.0.0/24

create routerone

set routerone personality "Cisco 7206 running IOS 11.1(24)"

set routerone default tcp action reset

add routerone tcp port 23 "scripts/router-telnet.pl"

create netbsd

set netbsd personality "NetBSD 1.5.2 running on a Commodore Amiga (68040 processor)"

set netbsd default tcp action reset

add netbsd tcp port 22 proxy $ipsrc:22

add netbsd tcp port 80 "sh scripts/web.sh"

bind 10.0.0.1 routerone

bind 10.1.0.2 netbsd

slide22
Results – take from the abstract

$ traceroute -n 10.3.0.10

traceroute to 10.3.0.10 (10.3.0.10), 64 hops max

1 10.0.0.1 0.456 ms 0.193 ms 0.93 ms

2 10.2.0.1 46.799 ms 45.541 ms 51.401 ms

3 10.3.0.1 68.293 ms 69.848 ms 69.878 ms

4 10.3.0.10 79.876 ms 79.798 ms 79.926 ms

slide23
Conclusion
  • Both are low interaction
  • Honey with better feature like IP simulation and OS IP stack simulation
  • KFSensor better GUI easy configuration

Can not replace the existing system. Work better along with it.