1 / 30

CSCE 815 Network Security Lecture 24

Learn about network administrator tools like ipconfig, ifconfig, netstat, and more. Explore the concept of Chroot Jails and deploying Gen.I and Gen.II Honeynets for network security.

ckrawczyk
Télécharger la présentation

CSCE 815 Network Security Lecture 24

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003

  2. Network Administrator Tools • Network Administration tools • (MSDOS/Windows) ipconfig • ifconfig • netstat • /etc/… not really tools as much as files • /sbin/… • Find ethernet/IP addresses • More tools • http://newsforge.com/newsforge/02/12/12/0232235.shtml?tid=23

  3. Chroot Jails • References: • http://librenix.com/ general purpose security/Linux site • http://www.gsyc.inf.uc3m.es/~assman/jail/index.html • chroot environment:

  4. Chroot Implementation

  5. The Hacker Community • The Black Hat Community • Facts • 20 Unique Scans a day • Fastest Compromise – 15 minutes • Default RH 6.2 life expectancy is 72 Hrs • 100-200% increase in activity from 2000 to 2001 Source:http://project.honeynet.org/papers/stats

  6. What needs to be done? • Awareness : To raise awareness about new and existing threats and attacks • Information: Collect information about attacks and people who cause them, their tools and techniques • Analysis: Assess vulnerabilities in the system

  7. Deploying a Gen II Honeynet • Objective: • To learn about threats and attacks on the most vulnerable Unix and Windows based applications • To learn about tools and techniques used by the attackers • To collect and analyze attack data

  8. Honeypot • Operating system with applications vulnerable to attacks • Designed to capture all activities generated by an intruder • Types: • Production Honeypot-Low Interaction- Simulated Environment Eg. Specter, BOF • Research Honeypot- High Interaction-Learning purposes

  9. Honeynet • Comprised of high interaction honeypots • Simulates a real/production environment • Components: • Data Control: Comprised honeypot should not be used to attack systems • Data Capture: Capture Attacker’s activity Eg: Keystrokes • Data Collection: Collecting honeynet data in a remote machine

  10. Gen I Honeynet • Placed on an isolated network • Firewall and Router are used as Access Control Devices • Better Data control than a traditional honeypot

  11. Limitations of Gen I Honeypot • Easily Detectable • Outbound packets have TTL decrement at the routing firewall (Layer 3 device) • Intruder can fingerprint the network • Poor Data Control mechanism • Intruder can use the system to attack other systems • Absence of Content-Based detection

  12. Gen II Honeynet • Goals of Gen II Honeynet • 1.Undetectable System • Placed in a production network • Access control implemented by a gateway device (layer 2 device) • Absence of TTL decrement 2.Efficient Data Control mechanisms

  13. Deploying a Gen II Honeynet

  14. How to do implement the Honeynet • Building the Honeypots • Building the Sensor • Bridge Construction • Kernel Hardening • Data Control • Data Capture • Data Collection

  15. Building Honeypots • Cleaning the machine • FWipe (Linux) • Eraser (Windows) • Linux Honeypot • Redhat7.3, Kernel 2.4.8-13 • Apache server, SSH,FTP,Telnet • Windows Honeypot • Default installation of Windows 2000 server • IIS Web Server,IE,Microsoft SQL Server

  16. Honeynet Bridge 129.252.140.3 192.252.140.7 Eth1-NO IP Eth2- 129.252.xxx.yyy • Administrative • Interface • SSH Connections • Trusted Hosts Eth0-NO IP Internet

  17. Honeynet Communication Channel Eth1-Promiscuous Mode Eth0-Promiscuous Mode Src IP: 129.252.140.7 Dest IP: 208.122.101.1 TTL : 30 Src MAC:07 E2 G5 89 P1 Dest MAC:0H F5 7F 2L G2 Source IP: 129.252.140.7 Destination IP: 208.122.101.1 TTL : 30 Source MAC : 07 E2 G5 89 P1 Destination MAC:0H F5 7F 2L G2 Hub IP Forwarding

  18. Kernel Hardening • Bastille Linux • Non-executable IP user stack • Secures /proc /var directories • Prevents users from creating hard links to files that they don’t own • Restricts writes into pipes

  19. Data Control: Snort-Inline and IPTables • Modes of Operation • Connection Limiting Mode: Count packets by protocol type • Drop Mode: Libipq reads packets from kernel space.Packets are matched against snort signatures and dropped if there is a match • Replace Mode: Packets are matched against snort signatures and if they match the harmful content of packet is scrubbed and returned to the attacker

  20. Connection Limiting Mode IPTables IPTables Packet No =10 DROP

  21. Snort-Inline Drop Mode Drop IPTables IP Tables Snort-Inline Snort Rules=Drop Ip_queue

  22. Snort-Inline Replace Mode IPTables IP Tables Snort-Inline Snort Rules=Replace bin/sh->ben/sh Ip_queue

  23. Protect the Administrator Interface • Portsentry • Detects SYN/Half Open, FIN, NULL scans • Will block host in real time and report to the administrator

  24. Data Control: Tripwire • Maintains integrity of data on the system • Creates cryptographic checksums of files and directories • Reports when changes are made to • Access permissions, inode number, Userid, groupid, date and time, size

  25. Data Capture Mechanisms • Snort-Inline • Comlog: Log commands executed by cmd.exe (Windows) • Eventlog: forwards packets to syslog server(Windows) • Sebek: (Linux) • Keystroke logging • Uses UDP connection

  26. Data Collection • Syslog: • To deceive intruder maintain another Syslog.conf file in a different location • Remote Syslog • Stored data on remote machine

  27. Data Analysis • Log Sentry: • Audits logs and reports any violations • The @stake Sleuth Kit: • Analyses images generated by dd command • Converts and copies a file • Displays deleted files • Creates timeline for file activity

  28. Linux Based Attack RPC Apache SSH SNMP FTP R-Services LPD Sendmail BIND/DNS Weak accounts Windows Based Attack IIS MDAC Microsoft SQL Server NETBIOS Weak LM Hashing Anonymous Logon Weak accounts IE Remote Registry Access Windows Scripting Host Top 10 Attacked Services

  29. Risk Analysis • Placed on the 129.252.140 Subnet • Can be shut down in case of emergency • Efficient Data Control Mechanisms • Firewall (Connection Limiting Mode) • Snort-Inline (Drop Mode)

  30. References • Librenix: http://librenix.comfirewalls • types of firewalls • configurations • access contro • Newsforge: http://newsforge.com/newsforge • Deploying a GenII Honeynet: MS Thesis Harish Siripurapu

More Related