250 likes | 381 Vues
Honeynet Introduction. Tang Chin Hooi APAN Secretariat. Objective of Honeynet. To learn the tools, tactics, and motives of the blackhat community, and share the lessons learned. The Honeynet Projects. Volunteer organization of security professionals researching cyber threats.
E N D
Honeynet Introduction Tang Chin Hooi APAN Secretariat
Objective of Honeynet To learn the tools, tactics, and motives of the blackhat community, and share the lessons learned.
The Honeynet Projects • Volunteer organization of security professionals researching cyber threats. • Deploy networks around the world to be hacked. • Have captured information primarily on threats that focus on targets of opportunity.
Research Alliance Active Member Organizations: • Florida HoneyNet Project • Paladion Networks Honeynet Project - India • Internet Systematics Lab Honeynet Project - Greece • Mexico Honeynet Project • NetForensics Honeynet • Azusa Pacific University Honeynet • Brazilian Honeynet Project • Irish Honeynet Project • Honeynet Project at the University of Texas at Austin • Norwegian Honeynet Project • UK Honeynet Project • West Point Honeynet Project • Pakistan Honeynet Project • Italian Honeynet Project • French Honeynet Project • Ga Tech Honeynet Project
Goals • Awareness: To raise awareness of the threats that exist. • Information: For those already aware, to teach and inform about the threats. • Research: To give organizations the capabilities to learn more on their own.
Honeypots • A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. • Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.
Advantages • Collect small data sets of high value. • Reduce false positives • Catch new attacks, false negatives • Work in encrypted or IPv6 environments • Simple concept requiring minimal resources.
Disadvantages • Limited field of view (microscope) • Risk (mainly high-interaction honeypots)
Examples of Honeypots • Low Interaction honeypots: • Honeyd • KFSensor • Specter • High Interaction honeypots: • Symantec Decoy Server (ManTrap) • Honeynets
Honeynet • An architecture, not a product • Type of honeypot • High-interaction honeypot designed to capture extensive information on threats • Provides real systems, applications, and services for attackers to interact with…
Architecture Requirements • Data Control • Data Capture
Data Control • Containment of activity. Very important. • Minimize the risk. • What we allow attacker to do? 1) The more we allow, the more we learn, the risk would rise. 2) Control without noticed.
Data Control - Methods • Limit outbound connections - Linux’s iptables, FreeBSD’s ipfw • NIPS (drop/modify packets) - snort-inline • Bandwidth restrictions - FreeBSD’s Dummynet, Linux’s Advanced Routing and Traffic Control (tc), Cisco’s Committed Access Rate, Juniper’s Traffic Policing
Data Capture • Monitoring and logging of balckhat’s activities within honeynet • Multiple layer/mechanisms 1) Few modification to honeypot 2) Log and store on separate, secured machine
Data Capture - Methods • Multiple layers 1) Firewall logs – var/log/messages, etc 2) Network traffic – snort, addition to snort-inline 3) System Activity – Sebek2 (key loggers, file,log SSH,SSL,IPsec communication..) 4) New tools…
Virtual Honeynet • Running multiple OS on a single computer • Virtualization software (UML, VMware) • Type: 1) Self Contained Virtual Honeynet 2) Hybrid Virtual Honeynet
Risks • Harm • Risk of detection • Risk of disabling Honeynet functionality • Violation Solutions: 1) Human Monitoring 2) customization
Legal Issues • Consult with local council before deploying it
References • http://www.honeynet.org/ • http://www.tracking-hackers.com/papers/honeypots.html • http://www.citi.umich.edu/u/provos/honeyd/