The Honeynet p r o j e c t p r o y e c t o Presented by Kirby Kuehl Background Mi historia Feel Free to Ask Questions Sensación libremente para hacer preguntas Email: firstname.lastname@example.org Overview Introduction to the Honeynet Project
p r o j e c t
p r o y e c t o
Introducción al proyecto del Honeynet
Diseño del honeynet de la generación una
Diseño del honeynet de la generación dos
Security has traditionally focused on defensive actions such as firewalls, Intrusion Detection Systems, and encryption. The bad guys have had the initiative. Organizations could only sit and wait for a failure in their defenses. The Honeynet Project attempts to proactively gather information on hacker activity.
La seguridad de computadoras es generalmente defensiva.
The group informally began in April 1999 as the Wargames mailing list. The Honeynet Project officially formed in June 2000 and became a non-profit corporation in September 2001. The Honeynet Project is made up of thirty security professionals who volunteer our own time and resources to research the hacker community.
Intitially treinta voluntarios de la seguridad de computadoras.
Aprenda las herramientas, las táctica, y los motivos.
Aumente la seguridad compartiendo la información con la comunidad.
The Honeynet Project has released several “Know Your Enemy” security whitepapers which share technical, statistical, and forensic information gathered from our research.
This monthly project challenges the security community to analyze and identify hacker attack signatures. The scan of the month challenge will resume in the spring of 2002.
Challenged the security community to conduct a COMPLETE forensic analysis of an actual compromised system. Published our own detailed analysis as well as each of the contestants. The Honeynet Project will be conducting another forensic challenge in the near future.
A Honeypot is an application designed to lure in a hacker, allow the hacker to attack and compromise the system, and learn the hacker’s motive without harm to any real systems or real data.
Commercialproducts such as ManTrap from Recourse Technologies and Specter are applications that run on a single host and emulate multiple operating systems running various vulnerable services. Attackers are contained in a controlled environment within the honeypot software and their actions are logged.
A Honeynet is an actual network of computers left in their default (and insecure) configuration. This network sits behind a firewall where all inbound and outbound data is contained, captured and controlled. This captured information is then analyzed to learn the tools, tactics, and motives of the hacker community.
The Checkpoint FW-1 Firewall is our primary tool for controlling inbound and outbound connections. Our firewall is designed to allow any inbound connection and limit the number of outbound connections to five.
The Cisco router supplements the firewall and is used to protect against spoofed or ICMP based attacks. The router allows only packets with the source IP address of the Honeynet to leave the router (ingress filtering).
The firewall logs all connections initiated to and from the Honeynet.
The Snort IDS logs ALL data in tcpdump format utilizing UTC timestamps. Snort is also configured to send an alert when certain attack signatures are seen.
The central syslog server is a hardened host within the honeynet. It’s role is to attract more sophisticated attacks once a blackhat has compromised one of the default configuration honeynet systems.
The hacker community is extremely aggressive.
The motives of hackers vary as much as their tools. However, they often share the same goal, to compromise as many systems as possible.
A variety of measures can be taken to make the Generation Honeynets more realistic:
* Not necessary for automated attacks such as auto-rooters and worms.
Bulk scanners are often written by less sophisticated hackers and are used to aggressively probe the Internet searching for a specific vulnerability. The Generation 1 Honeynet did not host any production machines and unfortunately only saw this type of randomly targeted traffic.
Forum for organizations that are developing Honeynets to share ideas and experiences. This will also help ensure everyone is using the same definitions and requirements.
One of the long term goals of the Project is distributed Honeynets. This alliance has the potential for creating the infrastructure for distributed Honeynets.
Hogwash runs on top of Snort and acts like an inline Layer 2 firewall (No IP Stack). Hogwash drops or modifies specific packets based on signature matches.
In Generation 2 Honeynets, Hogwash will combine the Data Capture functionality of the Snort IDS and Data Control functionality of the Checkpoint FW-1 used in Generation 1 onto one machine.Generation 2 DesignDiseño de la generación dos