Honeypots and HoneynetsWhat are HoneypotsWhy HoneyPotsAdvantages and DisadvantagesSlide 5Types of HoneypotsSlide 7Examples of HoneypotsUses of HoneypotsSlide 10Slide 11Slide 12HoneynetsHoneynet ArchitectureHow It WorksData ControlNo Data ControlSlide 18Data Control : IssuesData CaptureRisksTypes of honeynetsGen-II Honeynet ArchitectureVirtual HoneynetHybrid Virtual HoneynetHoneywall CDROMRoo Honeywall CDROMInstallationFurther InformationHoneypots and HoneynetsHoneypots and HoneynetsSource: The HoneyNet Project http://www.honeynet.org/Book: Know Your Enemy (2nd ed)Presented by:Mohammad Mehedy MasudWhat are HoneypotsWhat are HoneypotsHoneypots are real or emulated vulnerable systems ready to be attacked.Definition: “Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource”◦Primary value of honeypots is to collect information.◦This information is used to better identify, understand and protect against threats.◦Honeypots add little direct value to protecting your network.Why HoneyPotsWhy HoneyPots A great deal of the security profession and the IT world depend on honeypots. Honeypots are used to ◦Build anti-virus signatures◦Build SPAM signatures and filters◦Identify compromised systems◦Assist law-enforcement to track criminals◦Hunt and shutdown botnets◦Malware collection and analysisAdvantages and Advantages and DisadvantagesDisadvantagesAdvantages◦Collect only small data sets(only when interacted), which is valuable and easier to analyze.◦Reduce false positives – because any activity with the honeypot is unauthorized by definition◦Reduce false negatives – honeypots are designed to identify and capture new attacks◦Capture encrypted activity – because honeypots act as endpoints, where the activity is decrypted◦Work with IPv6◦Highly flexible – extremely adaptable and can be used in a variety of environments◦Require minimal resourcesAdvantages and Advantages and DisadvantagesDisadvantagesDisadvantages◦Honeypots have a limited field of view – see only what interacts with them. Can’t be used to detect attacks on other systems.◦However, there are some techniques to redirect attackers’ activities to honeypots.◦Risk – attacker may take over the honeypot and use it to attack other systems.Types of HoneypotsTypes of HoneypotsServer: Put the honeypot on the Internet and let the bad guys come to you. Client: Honeypot initiates and interacts with serversOther: ProxiesTypes of HoneypotsTypes of HoneypotsLow-interaction◦Emulates services, applications, and OS’s◦Low risk and easy to deploy/maintain◦But capture limited information – attackers’ activities are contained to what the emulated systems allowHigh-interaction◦Real services, applications, and OS’s◦Capture extensive information, but high risk and time intensive to maintain◦Can capture new, unknown, or unexpected behaviorExamples of HoneypotsExamples of HoneypotsBackOfficer FriendlyKFSensorHoneydHoneynetsLow InteractionHigh InteractionUses of HoneypotsUses of HoneypotsPreventing attacks◦Automated attacks – (e.g. worms) Attacker randomly scan entire network and find vulnerable systems“Sticky honeypots” monitor unused IP spaces, and slows down the attacker when probedUse a variety of TCP tricks, such as using 0 window size◦Human attacksUse deception/deterrenceConfuse the attackers, making them waste their time and resourcesIf the attacker knows your network has honeypot, he may not attack the networkUses of HoneypotsUses of HoneypotsDetecting attacks◦Traditional IDSs generate too much logs, large percentage of false positives and false negatives◦Honeypots generate small data, reduce both false positives and false negatives◦Traditional IDSs fail to detect new kind of attacks, honeypots can detect new attacks◦Traditional IDSs may be ineffective in IPv6 or encrypted environmentUses of HoneypotsUses of HoneypotsResponding to attacks◦Responding to a failure/attack requires in-depth information about the attacker◦If a production system is hacked (e.g. mail server) it can’t be brought offline to analyze◦Besides, there may be too much data to analyze, which will be difficult and time-consuming◦Honeypots can be easily brought offline for analysis.◦Besides, the only information captured by the honeypot is related to the attack – so easy to analyze.Uses of HoneypotsUses of HoneypotsResearch purposes◦How can you defend yourself against an enemy when you don’t know who your enemy is?◦Research honeypots collect information on threats.◦Then researchers can Analyze trendsIdentify new tools or methodsIdentify attackers and their communitiesEnsure early warning and predictionUnderstand attackers’ motivationsHoneynetsHoneynetsHigh-interaction honeypot designed to capture in-depth information.Information has different value to different organizations.Its an architecture you populate with live systems, not a product or software. Any traffic entering or leaving is a suspect.Honeynet ArchitectureHoneynet ArchitectureHow It WorksHow It Works A highly controlled network ◦where every packet entering or leaving is monitored, captured, and analyzed.Should satisfy two critical requirements:◦Data Control: defines how activity is contained within the honeynet, without an attacker knowing it◦Data Capture: logging all of the attacker’s activity without the attacker knowing itData control has priority over data captureData ControlData Control•Mitigate risk of honeynet •being used to harm non-honeynet systems•Tradeoff•need to provide freedom to attacker to learn about him•More freedom – greater risk that the system will be compromised•Some controlling mechanisms•Restrict outbound connections (e.g. limit to 1)•IDS (Snort-Inline)•Bandwidth ThrottlingNo Data ControlNo Data ControlInternetNo RestrictionsNo RestrictionsHoneypotHoneypotData ControlData ControlInternetHoneywallHoneypotHoneypotNo RestrictionsConnections Limited Packet ScrubbedData Control : IssuesData Control : IssuesMust have both automated and manual controlSystem failure should leave the system in a closed state (fail-close)Admin should be able to maintain state of all inbound and outbound connectionsMust be configurable by the admin at any timeActivity must be controlled so that attackers
View Full Document
Unlocking...