The honeynet
Download
1 / 29

The Honeynet - PowerPoint PPT Presentation


  • 171 Views
  • Updated On :

The Honeynet. p r o j e c t p r o y e c t o. Presented by Kirby Kuehl. Background Mi historia Feel Free to Ask Questions Sensación libremente para hacer preguntas Email: kkuehl@cisco.com. Overview. Introduction to the Honeynet Project

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Honeynet' - hannibal


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The honeynet l.jpg

The Honeynet

p r o j e c t

p r o y e c t o


Presented by kirby kuehl l.jpg
Presented by Kirby Kuehl

  • Background

    Mi historia

  • Feel Free to Ask Questions Sensación libremente para hacer preguntas

  • Email: kkuehl@cisco.com


Overview l.jpg
Overview

  • Introduction to the Honeynet Project

    Introducción al proyecto del Honeynet

  • Honeypots and Honeynets

  • Generation 1 Honeynet Design

    Diseño del honeynet de la generación una

  • Honeynet Research Alliance

  • Generation 2 Honeynet Design

    Diseño del honeynet de la generación dos

  • Conclusion

    Conclusión


Introduction l.jpg
Introduction

Security has traditionally focused on defensive actions such as firewalls, Intrusion Detection Systems, and encryption. The bad guys have had the initiative. Organizations could only sit and wait for a failure in their defenses. The Honeynet Project attempts to proactively gather information on hacker activity.

La seguridad de computadoras es generalmente defensiva.


The honeynet project sobre el proyecto del honeynet l.jpg
The Honeynet ProjectSobre el proyecto del honeynet

The group informally began in April 1999 as the Wargames mailing list. The Honeynet Project officially formed in June 2000 and became a non-profit corporation in September 2001. The Honeynet Project is made up of thirty security professionals who volunteer our own time and resources to research the hacker community.

Intitially treinta voluntarios de la seguridad de computadoras.


Honeynet project goals metas del proyecto de honeynet l.jpg
Honeynet Project GoalsMetas del proyecto de Honeynet

  • To learn the tools, tactics, and motives of the hacker community.

    Aprenda las herramientas, las táctica, y los motivos.

  • Raise security awareness through the release of information gathered from our research.

    Aumente la seguridad compartiendo la información con la comunidad.

  • Provide information to better secure and defend your resources.

  • Share intelligence gathering methods.


Know your enemy whitepapers documentos l.jpg
“Know Your Enemy” WhitepapersDocumentos

The Honeynet Project has released several “Know Your Enemy” security whitepapers which share technical, statistical, and forensic information gathered from our research.

http://project.honeynet.org/papers/


Scan of the month exploraci n del mes l.jpg
Scan of the MonthExploración del mes

This monthly project challenges the security community to analyze and identify hacker attack signatures. The scan of the month challenge will resume in the spring of 2002.

http://project.honeynet.org/scans/


Forensic challenge competencia de forensics de computadoras l.jpg
Forensic ChallengeCompetencia de forensics de computadoras.

Challenged the security community to conduct a COMPLETE forensic analysis of an actual compromised system. Published our own detailed analysis as well as each of the contestants. The Honeynet Project will be conducting another forensic challenge in the near future.

http://project.honeynet.org/challenge/


Know your enemy book libro l.jpg
“Know Your Enemy” Book Libro

http://project.honeynet.org/book/


What is a honeypot qu es un honeypot l.jpg
What is a honeypot?Qué es un honeypot?

A Honeypot is an application designed to lure in a hacker, allow the hacker to attack and compromise the system, and learn the hacker’s motive without harm to any real systems or real data.


How do honeypots work c mo el honeypot funciona l.jpg
How do honeypots work?Cómo el honeypot funciona

Commercialproducts such as ManTrap from Recourse Technologies and Specter are applications that run on a single host and emulate multiple operating systems running various vulnerable services. Attackers are contained in a controlled environment within the honeypot software and their actions are logged.


Commercial honeypots honeypots de venta l.jpg
Commercial HoneypotsHoneypots de venta

  • Mantrap from Recourse Technologies (requires Solaris) -Ability to emulate up to 4 hosts (each running Solaris) running various services. You can run virtually any application in a chrooted cage.

  • Specter (requires Windows NT) -Can emulate 11 operating systems. Limited to emulating 13 different vulnerable services.

  • Netfacade (requires Solairs)- Can simulate up to a class C. Able to simulate 8 different Oses and 13 different services.

  • Deception Toolkit - Set of PERL scripts that can emulate various vulnerable services.


What is a honeynet qu es el honeynet l.jpg
What is a Honeynet?Qué es el Honeynet?

A Honeynet is an actual network of computers left in their default (and insecure) configuration. This network sits behind a firewall where all inbound and outbound data is contained, captured and controlled. This captured information is then analyzed to learn the tools, tactics, and motives of the hacker community.


Worth the risk and effort aceptable el riesgo y el esfuerzo l.jpg
Worth the Risk and Effort?Aceptable el riesgo y el esfuerzo

  • Honeynets introduce additional risk to an environment by attracting attention to their seemingly insecure configuration.

  • Require constant maintenance and administration.

  • Data Analysis is very time consuming. A single compromise on average requires 30-40 hours of analysis.


How the honeynet works c mo el honeynet funciona l.jpg
How the Honeynet worksCómo el honeynet funciona

  • A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.

  • All traffic entering or leaving the Honeynet is suspect by nature.


Data control firewall control de datos l.jpg
Data Control: FirewallControl de datos

The Checkpoint FW-1 Firewall is our primary tool for controlling inbound and outbound connections. Our firewall is designed to allow any inbound connection and limit the number of outbound connections to five.

FW-1

Script

FW-1

Alert


Data control router control de datos l.jpg
Data Control: RouterControl de datos

The Cisco router supplements the firewall and is used to protect against spoofed or ICMP based attacks. The router allows only packets with the source IP address of the Honeynet to leave the router (ingress filtering).


Data capture ids capturar de datos l.jpg
Data Capture: IDSCapturar de datos

The firewall logs all connections initiated to and from the Honeynet.

The Snort IDS logs ALL data in tcpdump format utilizing UTC timestamps. Snort is also configured to send an alert when certain attack signatures are seen.


Data capture syslog capturar de datos l.jpg
Data Capture: SyslogCapturar de datos

The central syslog server is a hardened host within the honeynet. It’s role is to attract more sophisticated attacks once a blackhat has compromised one of the default configuration honeynet systems.


The threat is increasing la amenaza est aumentando l.jpg
The Threat is IncreasingLa amenaza está aumentando

The hacker community is extremely aggressive.

  • 17+ unique scans a day.

  • Fastest honeypot compromise was 15 minutes.

  • Default RedHat 6.2 life expectancy is 72 hours.

  • 100% - 900% increase of activity in past year.

    http://project.honeynet.org/papers/stats/


Hacker goals and motives metas y motivos del hacker l.jpg
Hacker Goals and MotivesMetas y motivos del hacker

The motives of hackers vary as much as their tools. However, they often share the same goal, to compromise as many systems as possible.

  • Elevate gang status.

  • Launch Denial of Service.

  • Web Server Defacement.

  • Hopping point for IRC or other attacks.


A more realistic honeynet m s realista honeynet l.jpg
A more realistic honeynetMás realista honeynet

A variety of measures can be taken to make the Generation Honeynets more realistic:

  • Place production systems in the Honeynet.

  • Subscribe user accounts to mailing lists.

  • Add cron jobs to generate system activity.

  • Place offline systems (previous production hosts) on the Honeynet.

    * Not necessary for automated attacks such as auto-rooters and worms.


Beyond the generation 1 honeynet l.jpg
Beyond the Generation 1 Honeynet

Bulk scanners are often written by less sophisticated hackers and are used to aggressively probe the Internet searching for a specific vulnerability. The Generation 1 Honeynet did not host any production machines and unfortunately only saw this type of randomly targeted traffic.


Honeynet research alliance l.jpg
Honeynet Research Alliance

  • Honeynet Research

    Forum for organizations that are developing Honeynets to share ideas and experiences. This will also help ensure everyone is using the same definitions and requirements.

  • Distributed Honeynets

    One of the long term goals of the Project is distributed Honeynets. This alliance has the potential for creating the infrastructure for distributed Honeynets.


Definitions standards and requirements definiciones est ndares y requisitos l.jpg
Definitions, Standards, and RequirementsDefiniciones, estándares, y requisitos

  • Allows various organizations to independently research, develop, and deploy their own Honeynets using the same guidelines.

  • Promotes sharing of ideas, experiences and findings utilizing a closed mailing list.

http://project.honeynet.org/alliance/requirements.html


Generation 2 design dise o de la generaci n dos l.jpg

Hogwash runs on top of Snort and acts like an inline Layer 2 firewall (No IP Stack). Hogwash drops or modifies specific packets based on signature matches.

In Generation 2 Honeynets, Hogwash will combine the Data Capture functionality of the Snort IDS and Data Control functionality of the Checkpoint FW-1 used in Generation 1 onto one machine.

Generation 2 DesignDiseño de la generación dos


Generation 2 data collection capturar de datos l.jpg
Generation 2 Data CollectionCapturar de datos

  • Transmitting the captured data from sensors to the collector in a secure fashion, ensuring the confidentiality, integrity, and authenticity of the data.

  • Organizations have the option of anonymizing the data.

  • Distributed Honeynets are expected to standardize on NTP.

  • The central collection point will have an active MySQL database for Alert collection and archiving which can then be queried.


The honeynet project l.jpg
The Honeynet Project

Website: http://project.honeynet.org

Email: project@honeynet.org