honeypots

Views:
 
     
 

Presentation Description

security communication

Comments

Presentation Transcript

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks:

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004 http://project.honeynet.org/misc/project.html

Overview:

Overview Motivation What are Honeypots? Gen I and Gen II The GeorgiaTech Honeynet System Hardware/Software IDS Logging and review Some detected Exploitations Worm exploits Sage of the Warez Exploit Words of Wisdom Conclusions

Why Honeynets ?:

Why Honeynets ? An additional layer of security

Motivation:

Motivation Security a serious problem Methods for detection/protection/defense: Firewall: The Traffic cop IDS: detection and alert These have shortcomings: Internal threats Virus laden programs False Positives and False negatives Honeynet : An additional layer Not a panacea

PowerPoint Presentation:

Security: A serious Problem Firewall IDS A Traffic Cop Problems: Internal Threats Virus Laden Programs Detection and Alert Problems: False Positives False Negatives

PowerPoint Presentation:

The Security Problem Firewall IDS HoneyNets An additional layer of security

Properties:

Properties Captures all inbound/outbound data Standard production systems Intended to be compromised Data Capture Stealth capturing Storage location – away from the honeynet Data control Protect the network from honeynets

Two types:

Two types Gen I Gen II Good for simpler attacks Unsophisticated targets Limited Data Control Sophisticated Data Control : Stealth Fire-walling Gen I chosen

GATech Honeynet System:

GATech Honeynet System Huge network 4 TB data processing/day CONFIG Sub-standard systems Open Source Software Simple Firewall Data Control

PowerPoint Presentation:

IDS Invisible SNORT Monitor Promiscuous mode Two SNORT Sessions Session 1 Signature Analysis Monitoring Session 2 Packet Capture DATA CAPTURE

Data Analysis:

Data Analysis One hour daily ! Requires human resources Forensic Analysis SNORT DATA CAPTURE All packet logs stored Ethereal used

Detected Exploitations:

Detected Exploitations 16 compromises detected Worm attacks Hacker Attacks

DETECTING WORM EXPLOITS:

Honey Net traffic is Suspicious Heuristic for worm detection: Frequent port scans Specific OS-vulnerability monitoring possible Captured traffic helps signature development DETECTING WORM EXPLOITS

SAGA of the WAREZ Hacker:

SAGA of the WAREZ Hacker Helped locate a compromised host Honeynet IIS Exploit  Warez Server + Backdoor Very difficult to detect otherwise !

Words of Wisdom:

Words of Wisdom Start small Good relationships help Focus on Internal attacks Don’t advertise Be prepared to spend time

Conclusion:

Conclusion Helped locate compromised systems Can boost IDS research Data capture Distributed Honey nets ? Hunting down Honeypots http://www.send-safe.com/honeypot-hunter.php

Discussion:

Discussion The usefulness of the extra layer ? Dynamic HoneyNets Comparison with IDS: are these a replacement or complementary ? HONEY NET IDS

IDS vs HoneyNet:

IDS vs HoneyNet IDS – primary function is detection and alerting Honeynets – use IDS to detect and alert – but nothing is done to control the threat Primary intent is to log and capture effects and activities of the threat Honeynets do not protect the network – they have protection as a benefit, not intent

authorStream Live Help