1 / 24

Honeynet Introduction

The Honeynet Project is a volunteer organization of security professionals researching cyber threats. The objective is to learn the tools, tactics, and motives of the blackhat community, and share the lessons learned. Honeypots, such as low and high interaction honeypots, are used to capture valuable information on threats.

walkerv
Download Presentation

Honeynet Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Honeynet Introduction Tang Chin Hooi APAN Secretariat

  2. Objective of Honeynet To learn the tools, tactics, and motives of the blackhat community, and share the lessons learned.

  3. The Honeynet Projects • Volunteer organization of security professionals researching cyber threats. • Deploy networks around the world to be hacked. • Have captured information primarily on threats that focus on targets of opportunity.

  4. Research Alliance Active Member Organizations: • Florida HoneyNet Project • Paladion Networks Honeynet Project - India • Internet Systematics Lab Honeynet Project - Greece • Mexico Honeynet Project • NetForensics Honeynet • Azusa Pacific University Honeynet • Brazilian Honeynet Project • Irish Honeynet Project • Honeynet Project at the University of Texas at Austin • Norwegian Honeynet Project • UK Honeynet Project • West Point Honeynet Project • Pakistan Honeynet Project • Italian Honeynet Project • French Honeynet Project • Ga Tech Honeynet Project

  5. Goals • Awareness: To raise awareness of the threats that exist. • Information: For those already aware, to teach and inform about the threats. • Research: To give organizations the capabilities to learn more on their own.

  6. Honeypots • A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.

  7. Advantages • Collect small data sets of high value. • Reduce false positives • Catch new attacks, false negatives • Work in encrypted or IPv6 environments • Simple concept requiring minimal resources.

  8. Disadvantages • Limited field of view (microscope) • Risk (mainly high-interaction honeypots)

  9. Examples of Honeypots • Low Interaction honeypots: • Honeyd • KFSensor • Specter • High Interaction honeypots: • Symantec Decoy Server (ManTrap) • Honeynets

  10. Honeynet • An architecture, not a product • Type of honeypot • High-interaction honeypot designed to capture extensive information on threats • Provides real systems, applications, and services for attackers to interact with…

  11. Architecture Requirements • Data Control • Data Capture

  12. Data Control • Containment of activity. Very important. • Minimize the risk. • What we allow attacker to do? 1) The more we allow, the more we learn, the risk would rise. 2) Control without noticed.

  13. Data Control - Methods • Limit outbound connections - Linux’s iptables, FreeBSD’s ipfw • NIPS (drop/modify packets) - snort-inline • Bandwidth restrictions - FreeBSD’s Dummynet, Linux’s Advanced Routing and Traffic Control (tc), Cisco’s Committed Access Rate, Juniper’s Traffic Policing

  14. Data Capture • Monitoring and logging of balckhat’s activities within honeynet • Multiple layer/mechanisms 1) Few modification to honeypot 2) Log and store on separate, secured machine

  15. Data Capture - Methods • Multiple layers 1) Firewall logs – var/log/messages, etc 2) Network traffic – snort, addition to snort-inline 3) System Activity – Sebek2 (key loggers, file,log SSH,SSL,IPsec communication..) 4) New tools…

  16. Example: GEN I Honeynet

  17. Example: GEN II Honeynet

  18. Virtual Honeynet • Running multiple OS on a single computer • Virtualization software (UML, VMware) • Type: 1) Self Contained Virtual Honeynet 2) Hybrid Virtual Honeynet

  19. Self Contained Virtual Honeynet

  20. Hybrid Virtual Honeynet

  21. Risks • Harm • Risk of detection • Risk of disabling Honeynet functionality • Violation Solutions: 1) Human Monitoring 2) customization

  22. Legal Issues • Consult with local council before deploying it

  23. References • http://www.honeynet.org/ • http://www.tracking-hackers.com/papers/honeypots.html • http://www.citi.umich.edu/u/provos/honeyd/

  24. THE ENDThank You 

More Related