Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Slides:

Advertisements

Similar presentations

Microsoft Windows NT Embedded 4.0

Advertisements

NGAS – The Next Generation Archive System Jens Knudstrup NGAS The Next Generation Archive System.

Module 13: Performance Tuning. Overview Performance tuning methodologies Instance level Database level Application level Overview of tools and techniques.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Near Term Tools: Using honeynet tools and techniques for post intrusion intelligence gathering Edward G. Balas Indiana University Advanced Network Management.

Introduction Characteristics of USB System Model What needs to be done Platform Issues Conceptual Issues Timeline USB Monitoring Final Presentation 10.

TAC Vista Security. Target  TAC Vista & Security Integration  Key customer groups –Existing TAC Vista users Provide features and hardware for security.

1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

Lesson 15 – INSTALL AND SET UP NETWARE 5.1. Understanding NetWare 5.1 Preparing for installation Installing NetWare 5.1 Configuring NetWare 5.1 client.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Chapter 11 Monitoring and Analyzing the Web Environment.

Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003.

Manuka project IEEE IA Workshop June 10, Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.

PNW Honeynet Overview. Agenda What is a Honeynet What is the PNW Honeynet Alliance Who is involved in the project Where to get more information.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Incident Response and Forensic Course Disk Image Cataloging Project Concepts and Deliverables.

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

Installing software on personal computer

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

Capturing Computer Evidence Extracting Information.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.

Operating Systems Operating System

Chapter 6 Advanced Installation. Objectives  Describe the types and structure of SCSI devices  Explain the different levels of RAID and types of RAID.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Deploying Windows Vista Lesson 2. Skills Matrix Technology SkillObjective Domain SkillDomain # Understanding Windows Vista Deployment Deploy Windows Vista.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.

COEN 252 Computer Forensics

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Linux+ Guide to Linux Certification, Third Edition Chapter 6 Advanced Installation.

What is system software and what are its parts? Programs that control operation of computer Two parts are operating systems utility programs.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Honeynets Detecting Insider Threats Kirby Kuehl

CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

CSCE 815 Network Security Lecture 25 Data Control in HoneyNets SSH April 22, 2003.

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

How to create DNS rule that allow internal network clients DNS access Right click on Firewall Policy ->New- >Access Rule Right click on Firewall.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Security monitoring boxes Andrew McNab University of Manchester.

Investigation and Evaluation of Systems for Generating Automatic Alerts Using Honeynet Data Master’s Thesis Seminar Presentation Esko Harjama.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Module 7: Advanced Application and Web Filtering.

Microsoft Management Seminar Series SMS 2003 Change Management.

Mark E. Fuller Senior Principal Instructor Oracle University Oracle Corporation.

Virtual Machines Created within the Virtualization layer, such as a hypervisor Shares the physical computer's CPU, hard disk, memory, and network interfaces.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Chapter 8: Installing Linux The Complete Guide To Linux System Administration.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Router Initialization steps.

An Active Security Infrastructure for Grids Stuart Kenny*, Brian Coghlan Trinity College Dublin.

Module 14: Advanced Topics and Troubleshooting. Microsoft ® Windows ® Small Business Server (SBS) 2008 Management Console (Advanced Mode) Managing Windows.

Automating Installations by Using the Microsoft Windows 2000 Setup Manager Create setup scripts simply and easily. Create and modify answer files and UDFs.

Embedded Real-Time Systems Introduction to embedded software development Lecturer Department University.

Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

Wednesday NI Vision Sessions

CIS 221 Lesson 2. What is the first phase of the of the Installation of Windows XP? MS-DOS phase Why is the MS-DOS phase needed? the computer required.

Andrea Chierici Virtualization tutorial Catania 1-3 dicember 2010

VMware ESX and ESXi Module 3.

Oracle Solaris Zones Study Purpose Only

Honeypots and Honeynets

Linux+ Guide to Linux Certification, Third Edition

Presentation transcript:

Honeywall CD-ROM

Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL

A case for Honeynets  Research of attack technologies and methodologies  Root-cause analysis of attack motives  "Target of choice or target of chance?" “Getting the problem statement right” Dr. Dan Geer, Journal of the Advanced Computing Systems Association (USENIX) - June 2003, Volume 28, number 3  Self defense  Incident response and forensic analysis  Deception and deterrence

Problem: Simplify Honeynet deployment  Current Honeynets deployments require considerable effort.  Lack of standardized deployment platform.  Lack of standardized configuration mechanism to faciliate large-scale Honeynet deployment.  How can Honeynet deployment (especially large- scale deployments) be simplified?  How can Generation II Honeynet technologies be packaged into an easy to use system?

Solution: The Honeywall  A self-contained Honeynet data control and data management system  An easily configurable system  Simplify deployment and management  Build a system using a bootable CD-ROM.  Simplify configuration and management using plain text files.  Use commodity PC hardware to minimize costs.  Offer routing and bridging functionality to ease network integration.  Minimize customization efforts with built-in customization hooks.

Honeywall overview  Bootable Linux CD-ROM  Utilizes existing Honeynet data control and data capture technologies.  iptables (custom Honeywall configuration via rc.firewall)  Snort-inline  Snort  Menu-driven configuration interface for easy configuration.  Single configuration file for interactive or automated configuration.

Honeywall implementation  Bootable Linux system from ramdisk, logging to hard disk  Boot image consists of Linux kernel  Kernel image contains compressed (800K) initial ramdisk image to bootstrap system  Second stage boot process contains more complete Linux system  Generation II Honeynet gateway in a box  Data control system using iptables  Operates as a routing or bridging device  Makes a reasonable attempt to prevent stepping stones

Honeywall implementation (continued)  Complex attack detection/mitigation using Snort- inline  Hooks into iptables using queues (libipqueue), performs Gateway Intrusion Detection  Detects low-level protocol attacks abuses  Can modify outgoing attacks to prevent compromise of third-party systems  Data capture facilities using Snort and Snort-inline  Captures every packet traversing the Honeywall

Honeywall implementation (continued)  (Data capture..)  Generates alerts for events matching conditions within the Snort and Snort-inline  Facilitates forensic analysis of network data to identify new tools, techniques, trend and behavioral analysis of attack incidents  Utilizes rc.conf (BSD) style configuration file to simplify system management.  Leverages commodity PC hardware and a CD- ROM for minimal deployment effort  Extensible Unix-like shell scripting architecture

Honeywall boot process  Boot Linux system from initial ramdisk (initrd)  Load minimal kernel into memory  Bootstrap Honeywall using linuxrc initialization script  Mount root filesystem read-write  Mount /proc  Attempt to mount CD-ROM  Mount cramfs (compressed) filesystem from CD- ROM on loop device

Honeywall boot process (continued)  Continue Honeywall initialization  Probe hardware devices and load kernel modules  Extracts tar/gzip compressed archive of supplemental commands  Update shared library cache (ldconfig)  look for pre-configured Honeywall hard disk  Instantiate default Honeywall packet filter  Perform final configuration of data control components  Execute custom.sh  Start administration interface

Honeywall customization  Floppy disk configuration file  Modify ISO w/custom script before burning  Just use custom.sh to set variables, start things  Use custom.sh to communicate with central server  Use SSH to set variables from central management host  Rip ISO apart, modify file system, then rebuild  Allows adding new programs, new services, new capabilities  Supports development independant of the Honeynet Project

Honeywall deployment  Requires a PC hardware with 3 network interfaces using IDE disks and 256MB RAM  Connected to an existing network of hosts by placing the Honeywall systems between possible attackers and the Honeynet systems

Honeynet deployment (continued)

Honeywall demonstration

Future work (a production system)  Integration of Honey Inspector UI  Web interface to customize ISO  Command shell for remote mangement  Remote Honeywall Manager

Resources and questions   Watch the tools section on  Questions?

Customization in more detail  How a CD-ROM is born  Modification of ISO image  De/reconstruction of ISO image