logging in or signing up HONEYPOT gijomr005 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 149 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: February 15, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide 1: HONEYPOTS & HONEYNETSWhat are Honeypots: What are Honeypots Honeypots are real or emulated vulnerable systems ready to be attacked. Definition: “ Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource ” Primary value of honeypots is to collect information. This information is used to better identify, understand and protect against threats. Honeypots add little direct value to protecting our network.Why HoneyPots: Why HoneyPots A great deal of the security profession and the IT world depend on honey pots. Honeypots are used to Build anti-virus signatures Build SPAM signatures and filters Identify compromised systems Assist law-enforcement to track criminals Hunt and shutdown botnets Malware collection and analysisAdvantages and Disadvantages: Advantages and Disadvantages Advantages Collect only small data sets(only when interacted), which is valuable and easier to analyze. Reduce false positives – because any activity with the honeypot is unauthorized by definition Reduce false negatives – honeypots are designed to identify and capture new attacks Capture encrypted activity – because honeypots act as endpoints, where the activity is decrypted Work with IPv6 Highly flexible – extremely adaptable and can be used in a variety of environments Require minimal resourcesAdvantages and Disadvantages: Advantages and Disadvantages Disadvantages Honeypots have a limited field of view – see only what interacts with them. Can’t be used to detect attacks on other systems. However, there are some techniques to redirect attackers’ activities to honeypots. Risk – attacker may take over the honeypot and use it to attack other systems.Types of Honeypots: Types of Honeypots Server: Put the honeypot on the Internet and let the bad guys come to you. Client: Honeypot initiates and interacts with servers Other: ProxiesTypes of Honeypots: Types of Honeypots Low-interaction Emulates services, applications, and OS’s Low risk and easy to deploy/maintain But capture limited information – attackers’ activities are contained to what the emulated systems allow High-interaction Real services, applications, and OS’s Capture extensive information, but high risk and time intensive to maintain Can capture new, unknown, or unexpected behaviorExamples of Honeypots: Examples of Honeypots BackOfficer Friendly KFSensor Honeyd Honeynets Low Interaction High InteractionUses of Honeypots: Uses of Honeypots Preventing attacks Automated attacks – (e.g. worms) Attacker randomly scan entire network and find vulnerable systems “Sticky honeypots” monitor unused IP spaces, and slows down the attacker when probed Use a variety of TCP tricks, such as using 0 window size Human attacks Use deception/deterrence Confuse the attackers, making them waste their time and resources If the attacker knows your network has honeypot, he may not attack the networkUses of Honeypots: Uses of Honeypots Detecting attacks Traditional IDSs generate too much logs, large percentage of false positives and false negatives Honeypots generate small data, reduce both false positives and false negatives Traditional IDSs fail to detect new kind of attacks, honeypots can detect new attacks Traditional IDSs may be ineffective in IPv6 or encrypted environmentUses of Honeypots: Uses of Honeypots Responding to attacks Responding to a failure/attack requires in-depth information about the attacker If a production system is hacked (e.g. mail server) it can’t be brought offline to analyze Besides, there may be too much data to analyze, which will be difficult and time-consuming Honeypots can be easily brought offline for analysis. Besides, the only information captured by the honeypot is related to the attack – so easy to analyze.Uses of Honeypots: Uses of Honeypots Research purposes How can you defend yourself against an enemy when you don’t know who your enemy is? Research honeypots collect information on threats. Then researchers can Analyze trends Identify new tools or methods Identify attackers and their communities Ensure early warning and prediction Understand attackers’ motivationsHoneynets: Honeynets High-interaction honeypot designed to capture in-depth information . Information has different value to different organizations. Its an architecture you populate with live systems, not a product or software. Any traffic entering or leaving is a suspect.Honeynet Architecture: Honeynet ArchitectureHow It Works: How It Works A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. Should satisfy two critical requirements: Data Control : defines how activity is contained within the honeynet, without an attacker knowing it Data Capture : logging all of the attacker’s activity without the attacker knowing it Data control has priority over data captureData Control: Data Control Mitigate risk of honeynet being used to harm non-honeynet systems Tradeoff need to provide freedom to attacker to learn about him More freedom – greater risk that the system will be compromised Some controlling mechanisms Restrict outbound connections (e.g. limit to 1) IDS (Snort-Inline) Bandwidth ThrottlingNo Data Control: No Data ControlData Control: Data ControlData Control : Issues: Data Control : Issues Must have both automated and manual control System failure should leave the system in a closed state (fail-close) Admin should be able to maintain state of all inbound and outbound connections Must be configurable by the admin at any time Activity must be controlled so that attackers can’t detect Automated alerting when honeypots compromisedData Capture: Data Capture Capture all activity at a variety of levels. Network activity. Application activity. System activity. Issues No captured data should be stored locally on the honeypot No data pollution should contaminate Admin should be able to remotely view honeynet activity in real time Must use GMT time zoneRisks: Risks Harm compromised honeynet can be used to attack other honeynets or non-honeynet systems Detection Its value will dramatically decreased if detected by hacker Hacker may ignore or bypass it Hacker may inject false information to mislead Disabling honeynet functionality Attacker disables the data control & capture Violation Using the compromised system for criminal activityTypes of honeynets: Types of honeynets Gen-I Gen-II Virtual DistributedHoneywall CDROM: Honeywall CDROM Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM. May, 2003 - Released Eeyore May, 2005 - Released RooRoo Honeywall CDROM: Roo Honeywall CDROM Based on Fedora Core 3 Vastly improved hardware and international support. Automated, headless installation New Walleye interface for web based administration and data analysis. Automated system updating.Installation: Installation Just insert CDROM and boot, it installs to local hard drive. After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards. Following installation, you get a command prompt and system is ready to configure. CONCLUSION: CONCLUSION Honey Pots and Honeynets are tools to acquire knowledge. The education they provide is their most important contribution. They also require substantial resources to operate correctly. If the operators understand what is demanded, Honey Pots and Honeynets can provide a fantastic learning tool in computer securitySlide 28: THANK YOU You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
HONEYPOT gijomr005 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 149 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: February 15, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide 1: HONEYPOTS & HONEYNETSWhat are Honeypots: What are Honeypots Honeypots are real or emulated vulnerable systems ready to be attacked. Definition: “ Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource ” Primary value of honeypots is to collect information. This information is used to better identify, understand and protect against threats. Honeypots add little direct value to protecting our network.Why HoneyPots: Why HoneyPots A great deal of the security profession and the IT world depend on honey pots. Honeypots are used to Build anti-virus signatures Build SPAM signatures and filters Identify compromised systems Assist law-enforcement to track criminals Hunt and shutdown botnets Malware collection and analysisAdvantages and Disadvantages: Advantages and Disadvantages Advantages Collect only small data sets(only when interacted), which is valuable and easier to analyze. Reduce false positives – because any activity with the honeypot is unauthorized by definition Reduce false negatives – honeypots are designed to identify and capture new attacks Capture encrypted activity – because honeypots act as endpoints, where the activity is decrypted Work with IPv6 Highly flexible – extremely adaptable and can be used in a variety of environments Require minimal resourcesAdvantages and Disadvantages: Advantages and Disadvantages Disadvantages Honeypots have a limited field of view – see only what interacts with them. Can’t be used to detect attacks on other systems. However, there are some techniques to redirect attackers’ activities to honeypots. Risk – attacker may take over the honeypot and use it to attack other systems.Types of Honeypots: Types of Honeypots Server: Put the honeypot on the Internet and let the bad guys come to you. Client: Honeypot initiates and interacts with servers Other: ProxiesTypes of Honeypots: Types of Honeypots Low-interaction Emulates services, applications, and OS’s Low risk and easy to deploy/maintain But capture limited information – attackers’ activities are contained to what the emulated systems allow High-interaction Real services, applications, and OS’s Capture extensive information, but high risk and time intensive to maintain Can capture new, unknown, or unexpected behaviorExamples of Honeypots: Examples of Honeypots BackOfficer Friendly KFSensor Honeyd Honeynets Low Interaction High InteractionUses of Honeypots: Uses of Honeypots Preventing attacks Automated attacks – (e.g. worms) Attacker randomly scan entire network and find vulnerable systems “Sticky honeypots” monitor unused IP spaces, and slows down the attacker when probed Use a variety of TCP tricks, such as using 0 window size Human attacks Use deception/deterrence Confuse the attackers, making them waste their time and resources If the attacker knows your network has honeypot, he may not attack the networkUses of Honeypots: Uses of Honeypots Detecting attacks Traditional IDSs generate too much logs, large percentage of false positives and false negatives Honeypots generate small data, reduce both false positives and false negatives Traditional IDSs fail to detect new kind of attacks, honeypots can detect new attacks Traditional IDSs may be ineffective in IPv6 or encrypted environmentUses of Honeypots: Uses of Honeypots Responding to attacks Responding to a failure/attack requires in-depth information about the attacker If a production system is hacked (e.g. mail server) it can’t be brought offline to analyze Besides, there may be too much data to analyze, which will be difficult and time-consuming Honeypots can be easily brought offline for analysis. Besides, the only information captured by the honeypot is related to the attack – so easy to analyze.Uses of Honeypots: Uses of Honeypots Research purposes How can you defend yourself against an enemy when you don’t know who your enemy is? Research honeypots collect information on threats. Then researchers can Analyze trends Identify new tools or methods Identify attackers and their communities Ensure early warning and prediction Understand attackers’ motivationsHoneynets: Honeynets High-interaction honeypot designed to capture in-depth information . Information has different value to different organizations. Its an architecture you populate with live systems, not a product or software. Any traffic entering or leaving is a suspect.Honeynet Architecture: Honeynet ArchitectureHow It Works: How It Works A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed. Should satisfy two critical requirements: Data Control : defines how activity is contained within the honeynet, without an attacker knowing it Data Capture : logging all of the attacker’s activity without the attacker knowing it Data control has priority over data captureData Control: Data Control Mitigate risk of honeynet being used to harm non-honeynet systems Tradeoff need to provide freedom to attacker to learn about him More freedom – greater risk that the system will be compromised Some controlling mechanisms Restrict outbound connections (e.g. limit to 1) IDS (Snort-Inline) Bandwidth ThrottlingNo Data Control: No Data ControlData Control: Data ControlData Control : Issues: Data Control : Issues Must have both automated and manual control System failure should leave the system in a closed state (fail-close) Admin should be able to maintain state of all inbound and outbound connections Must be configurable by the admin at any time Activity must be controlled so that attackers can’t detect Automated alerting when honeypots compromisedData Capture: Data Capture Capture all activity at a variety of levels. Network activity. Application activity. System activity. Issues No captured data should be stored locally on the honeypot No data pollution should contaminate Admin should be able to remotely view honeynet activity in real time Must use GMT time zoneRisks: Risks Harm compromised honeynet can be used to attack other honeynets or non-honeynet systems Detection Its value will dramatically decreased if detected by hacker Hacker may ignore or bypass it Hacker may inject false information to mislead Disabling honeynet functionality Attacker disables the data control & capture Violation Using the compromised system for criminal activityTypes of honeynets: Types of honeynets Gen-I Gen-II Virtual DistributedHoneywall CDROM: Honeywall CDROM Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM. May, 2003 - Released Eeyore May, 2005 - Released RooRoo Honeywall CDROM: Roo Honeywall CDROM Based on Fedora Core 3 Vastly improved hardware and international support. Automated, headless installation New Walleye interface for web based administration and data analysis. Automated system updating.Installation: Installation Just insert CDROM and boot, it installs to local hard drive. After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards. Following installation, you get a command prompt and system is ready to configure. CONCLUSION: CONCLUSION Honey Pots and Honeynets are tools to acquire knowledge. The education they provide is their most important contribution. They also require substantial resources to operate correctly. If the operators understand what is demanded, Honey Pots and Honeynets can provide a fantastic learning tool in computer securitySlide 28: THANK YOU