Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Published byArabella Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of."— Presentation transcript:

1 1 HoneyNets

2 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of the Georgia Tech Campus Network Current Vulnerabilities on the Internet

3 3 Shortcomings Associated with Firewalls 1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability. 2. The firewall at the network interface does not protect against internal threats. 3. The firewall cannot protect against the transfer of virus–laden files and programs

4 4 Shortcomings Associated with Intrusion Detection Systems 1.Increase Complexity of Security Management of Network 2.High Level of False Positive and False Negative Alerts 3.Must Know Signature or Anomoly Detection Pattern

5 5 Definition of a Honeynet Network Established Behind a Reverse Firewall Captures All In-Bound and Out-Bound Traffic Any Type of System Network is Intended To Be Compromised All Honeynet traffic is suspicious

6 6 Data Capture and Data Control Data Capture  Collect all information entering and leaving the Honeynet covertly for future analysis Data Control  Covertly protect other networks from being attacked and compromised by computers on the Honeynet

7 7 Generation I vs. Generation II GEN I Honeynet  Simple Methodology, Limited Capability  Highly effective at detecting automated attacks  Use Reverse Firewall for Data Control  Can be fingerprinted by a skilled hacker  Runs at OSI Layer 3 GEN II Honeynet  More Complex to Deploy and Maintain  Examine Outbound Data and make determination to block, pass, or modify data  Runs at OSI Layer 2

8 8 Georgia Tech Campus Network 15000 Students, 5000 Staff, 69 Departments 30000-35000 networked computers on campus Average data throughput 600Mbps/4 terabytes per day NO FIREWALL BETWEEN CAMPUS & INTERNET!  Why? Requirement for Academic Freedom, high throughput  However, individual enclaves within Georgia Tech use firewalls IDS is run at campus gateway  Out of band monitoring and follow-on investigation

9 9 Establishment of the Honeynet on the Georgia Tech Campus Established in Summer of 2002 Uses Open Source Software Initially Established As One Honeynet Machine behind the firewall IP Address Range Provided by Georgia Tech Office of Information Technology (OIT)

10 10 Georgia Tech Honeynet

11 11 Hardware and Software No Requirement for State of the Art Equipment (Surplus Equipment) No Production Systems Minimum Traffic Use Open Source Software (SNORT, Ethereal, MySQL DB, ACID) Use Reverse Firewall Script Developed by Honeynet.org

12 12 Intrusion Detection System Used with HoneyNet SNORT  Open Source  Signature-Based, with Anomaly-Based Plug-in Available  Can Write Customized Signatures Run Two Separate SNORT Sessions  One Session to Check Against Signature Database  One Session to Capture All Inbound/Outbound Traffic

13 13 Analysis Console for Intrusion Detection (ACID)

14 14 Logging and Review of Data Honeynet Data is stored in two separate locations  Alert Data is stored in SQL database  Packet Capture Data is stored in a daily archive file Data Analysis is a time consuming process In our Experience:  One hour/day to analyze traffic  One hour of attack traffic can result up to one week of analysis

15 15 Ethereal Analysis Tool

16 16 Exploitations Detected on the Georgia Tech Honeynet 36 possible exploited machines have been detected at Georgia Tech in previous 9 months (through June 2003) A report is made to OIT on each suspected compromise

17 17 Identification of a System with a Compromised Password Previously Compromised Honeynet Computer Continued to Operate as Warez Server Another Georgia Tech Computer Connected to the Warez Server Investigation Revealed that Password had been Compromised on Second Georgia Tech Computer

18 18 Detection of Worm Type Exploits GEN I Honeynet Well-Suited to Detect Worm Type Exploits  Repeated Scans targeting specific ports  Analyze captured data for time lapses Ability to Deploy Specific Operating System on Honeynet

19 19 Exploitation Pattern of Typical Internet Worm Target Vulnerabilities on Specific Operating Systems Localized Scanning to Propagate (Code Red)  3/8 of time within same /16 network  1/2 of time within same /8 network  1/8 of time random address Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts

20 20 Georgia Tech Honeynet Gen II

21 21 Initial Observations of Gen II Honeynet Configuration is more complex than Gen I Must use variants of Linux 2.4 kernel in order to run Sebek keystroke logger capability Data must continue to be monitored on a daily basis

22 22 Honeynet Portscan Activity Date Public: 7/24/02 Date Attack: 1/25/03

23 23 Honeynet Portscan Activity Date Public: 7/16/03 Date Attack: 8/11/03

24 24 Honeynet Portscan Activity Date Public: 8/15/2003 Date Attack: 8/22/03

25 25 Conclusions on HoneyNets Honeynet Assists in Maintaining Network Security Provides Platform for Research in Information Assurance and Intrusion Detection

Download ppt "1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of."

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Similar presentations

Ads by Google