Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Similar presentations


Presentation on theme: "Honeynet Introduction Tang Chin Hooi APAN Secretariat."— Presentation transcript:

1 Honeynet Introduction Tang Chin Hooi APAN Secretariat

2 Objective of Honeynet To learn the tools, tactics, and motives of the blackhat community, and share the lessons learned.

3 The Honeynet Projects Volunteer organization of security professionals researching cyber threats. Volunteer organization of security professionals researching cyber threats. Deploy networks around the world to be hacked. Deploy networks around the world to be hacked. Have captured information primarily on threats that focus on targets of opportunity. Have captured information primarily on threats that focus on targets of opportunity.

4 Research Alliance Active Member Organizations: Florida HoneyNet Project Florida HoneyNet Project Florida HoneyNet Project Florida HoneyNet Project Paladion Networks Honeynet Project - India Paladion Networks Honeynet Project - India Paladion Networks Honeynet Project - India Paladion Networks Honeynet Project - India Internet Systematics Lab Honeynet Project - Greece Internet Systematics Lab Honeynet Project - Greece Internet Systematics Lab Honeynet Project - Greece Internet Systematics Lab Honeynet Project - Greece Mexico Honeynet Project Mexico Honeynet Project Mexico Honeynet Project Mexico Honeynet Project NetForensics Honeynet NetForensics Honeynet NetForensics Honeynet NetForensics Honeynet Azusa Pacific University Honeynet Azusa Pacific University Honeynet Azusa Pacific University Honeynet Azusa Pacific University Honeynet Brazilian Honeynet Project Brazilian Honeynet Project Brazilian Honeynet Project Brazilian Honeynet Project Irish Honeynet Project Irish Honeynet Project Irish Honeynet Project Irish Honeynet Project Honeynet Project at the University of Texas at Austin Honeynet Project at the University of Texas at Austin Honeynet Project at the University of Texas at Austin Honeynet Project at the University of Texas at Austin Norwegian Honeynet Project Norwegian Honeynet Project Norwegian Honeynet Project Norwegian Honeynet Project UK Honeynet Project UK Honeynet Project UK Honeynet Project UK Honeynet Project West Point Honeynet Project West Point Honeynet Project West Point Honeynet Project West Point Honeynet Project Pakistan Honeynet Project Pakistan Honeynet Project Pakistan Honeynet Project Pakistan Honeynet Project Italian Honeynet Project Italian Honeynet Project Italian Honeynet Project Italian Honeynet Project French Honeynet Project French Honeynet Project French Honeynet Project French Honeynet Project Ga Tech Honeynet Project Ga Tech Honeynet Project Ga Tech Honeynet Project Ga Tech Honeynet Project

5 Goals Awareness: To raise awareness of the threats that exist. Awareness: To raise awareness of the threats that exist. Information: For those already aware, to teach and inform about the threats. Information: For those already aware, to teach and inform about the threats. Research: To give organizations the capabilities to learn more on their own. Research: To give organizations the capabilities to learn more on their own.

6 Honeypots A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise. Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.

7 Advantages Collect small data sets of high value. Collect small data sets of high value. Reduce false positives Reduce false positives Catch new attacks, false negatives Catch new attacks, false negatives Work in encrypted or IPv6 environments Work in encrypted or IPv6 environments Simple concept requiring minimal resources. Simple concept requiring minimal resources.

8 Disadvantages Limited field of view (microscope) Limited field of view (microscope) Risk (mainly high-interaction honeypots) Risk (mainly high-interaction honeypots)

9 Examples of Honeypots Low Interaction honeypots: Low Interaction honeypots: - Honeyd - KFSensor - Specter High Interaction honeypots: High Interaction honeypots: - Symantec Decoy Server (ManTrap) - Honeynets

10 Honeynet An architecture, not a product An architecture, not a product Type of honeypot Type of honeypot High-interaction honeypot designed to capture extensive information on threats High-interaction honeypot designed to capture extensive information on threats Provides real systems, applications, and services for attackers to interact with… Provides real systems, applications, and services for attackers to interact with…

11 Architecture Requirements Data Control Data Control Data Capture Data Capture

12 Data Control Containment of activity. Very important. Containment of activity. Very important. Minimize the risk. Minimize the risk. What we allow attacker to do? What we allow attacker to do? 1) The more we allow, the more we learn, the risk would rise. 2) Control without noticed.

13 Data Control - Methods Limit outbound connections Limit outbound connections - Linuxs iptables, FreeBSDs ipfw - Linuxs iptables, FreeBSDs ipfw NIPS (drop/modify packets) NIPS (drop/modify packets) - snort-inline - snort-inline Bandwidth restrictions Bandwidth restrictions - FreeBSDs Dummynet, Linuxs Advanced Routing and Traffic Control (tc), Ciscos Committed Access Rate, Junipers Traffic Policing - FreeBSDs Dummynet, Linuxs Advanced Routing and Traffic Control (tc), Ciscos Committed Access Rate, Junipers Traffic Policing

14 Data Capture Monitoring and logging of balckhats activities within honeynet Monitoring and logging of balckhats activities within honeynet Multiple layer/mechanisms Multiple layer/mechanisms 1) Few modification to honeypot 2) Log and store on separate, secured machine

15 Data Capture - Methods Multiple layers Multiple layers 1) Firewall logs – var/log/messages, etc 2) Network traffic – snort, addition to snort- inline 3) System Activity – Sebek2 (key loggers, file,log SSH,SSL,IPsec communication..) 4) New tools…

16 Example: GEN I Honeynet

17 Example: GEN II Honeynet

18 Virtual Honeynet Running multiple OS on a single computer Running multiple OS on a single computer Virtualization software (UML, VMware) Virtualization software (UML, VMware) Type: Type: 1) Self Contained Virtual Honeynet 1) Self Contained Virtual Honeynet 2) Hybrid Virtual Honeynet 2) Hybrid Virtual Honeynet

19 Self Contained Virtual Honeynet

20 Hybrid Virtual Honeynet

21 Risks Harm Harm Risk of detection Risk of detection Risk of disabling Honeynet functionality Risk of disabling Honeynet functionality Violation ViolationSolutions: 1) Human Monitoring 2) customization

22 Legal Issues Consult with local council before deploying it Consult with local council before deploying it

23 References

24 THE END Thank You THE END Thank You


Download ppt "Honeynet Introduction Tang Chin Hooi APAN Secretariat."

Similar presentations


Ads by Google