Honeypots and HoneynetsWhy HoneyPotsWhat are HoneypotsTypes of HoneyPotSlide 5Examples Of HoneypotsHoneynetsHow It WorksHoneynet ArchitectureData ControlNo Data ControlSlide 12Data CaptureSebekSebek ArchitectureHoneywall CDROMRoo Honeywall CDROMInstallationFurther InformationHoneypots and HoneynetsHoneypots and HoneynetsSource: The HoneyNet Project http://www.honeynet.org/ Mehedi MasudSeptember 19, 2007Lecture #12Why HoneyPotsWhy HoneyPots A great deal of the security profession and the IT world depend on honeypots. Honeypots◦Build anti-virus signatures.◦Build SPAM signatures and filters.◦ISP’s identify compromised systems.◦Assist law-enforcement to track criminals.◦Hunt and shutdown botnets.◦Malware collection and analysis.What are HoneypotsWhat are HoneypotsHoneypots are real or emulated vulnerable systems ready to be attacked.Primary value of honeypots is to collect information.This information is used to better identify, understand and protect against threats.Honeypots add little direct value to protecting your network.Types of HoneyPotTypes of HoneyPotServer: Put the honeypot on the Internet and let the bad guys come to you. Client: Honeypot initiates and interacts with serversOther: ProxiesTypes of HoneyPotTypes of HoneyPotLow-interaction◦Emulates services, applications, and OS’s.◦Low risk and easy to deploy/maintain, but capture limited information.High-interaction◦Real services, applications, and OS’s◦Capture extensive information, but high risk and time intensive to maintain.Examples Of HoneypotsExamples Of HoneypotsBackOfficer FriendlyKFSensorHoneydHoneynetsLow InteractionHigh InteractionHoneynetsHoneynetsHigh-interaction honeypot designed to capture in-depth information.Information has different value to different organizations.Its an architecture you populate with live systems, not a product or software. Any traffic entering or leaving is suspect.How It WorksHow It Works A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.◦Data Control◦Data Capture◦Data AnalysisHoneynet ArchitectureHoneynet ArchitectureData ControlData Control•Mitigate risk of honeynet being used to harm non-honeynet systems.•Count outbound connections.•IPS (Snort-Inline)•Bandwidth ThrottlingNo Data ControlNo Data ControlInternetNo RestrictionsNo RestrictionsHoneypotHoneypotData ControlData ControlInternetHoneywallHoneypotHoneypotNo RestrictionsConnections Limited Packet ScrubbedData CaptureData CaptureCapture all activity at a variety of levels.Network activity.Application activity.System activity.SebekSebekHidden kernel module that captures all host activityDumps activity to the network.Attacker cannot sniff any traffic based on magic number and dst port.Sebek ArchitectureSebek ArchitectureHoneywall CDROMHoneywall CDROMAttempt to combine all requirements of a Honeywall onto a single, bootable CDROM.May, 2003 - Released EeyoreMay, 2005 - Released RooRoo Honeywall CDROMRoo Honeywall CDROMBased on Fedora Core 3Vastly improved hardware and international support.Automated, headless installationNew Walleye interface for web based administration and data analysis.Automated system updating.InstallationInstallationJust insert CDROM and boot, it installs to local hard drive.After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards.Following installation, you get a command prompt and system is ready to configure.Further InformationFurther Informationhttp://www.honeynet.org/http://www.ho
View Full Document