KFSensor Vs Honeyd Honeypot System Sunil Gurung

Slides:

Advertisements

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

System Security Scanning and Discovery Chapter 14.

Security Firewall Firewall design principle. Firewall Characteristics.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.

Simulation and Emulation with NCTUns

Introduction to Honeypot, Botnet, and Security Measurement

Intranet, Extranet, Firewall. Intranet and Extranet.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .

© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.

Session 10 Windows Platform Eng. Dina Alkhoudari.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

Speaker ： Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.

Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.

Bypassing Network Security: Evading IDSs, Honeypots, and Firewalls.

HONEYPOT.  Introduction to Honeypot  Honeytoken  Types of Honeypots  Honeypot Implementation  Advantages and Disadvantages  Role of Honeypot in.

Introduction to NS2 -Network Simulator- -Prepared by Changyong Jung.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypot and Intrusion Detection System

Module 7: Firewalls and Port Forwarding 1. Overview Firewall configuration for Web Application Hosting Forwarding necessary ports for Web Application.

Honeypots. Your Speaker Lance Spitzner –Senior Security Architect, Sun Microsystems –Founder of the Honeynet Project –Author of Honeypots: Tracking Hackers.

Internet and Intranet Fundamentals Class 9 Session A.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

Honeynets Detecting Insider Threats Kirby Kuehl

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’s in his book “The Cuckoo’s Egg” and by Bill Cheswick’s.

Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Remote Controller & Presenter Make education more efficiently

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Introduction to Honeypot, measurement, and vulnerability exploits

Honeypots and Honeynets Alex Dietz. To discover methods used to breach a system To discover new root kits To learn what changes are made to a system and.

1.1 1 Purpose of firewall : –Control access to or from a protected network; –Implements network access policy connections pass through firewall and are.

Security with Honeyd By Ryan Olsen. What is Honeyd? ➲ Open source program design to create honeypot networks. ➲ What is a honeypot? ● Closely monitored.

Retina Network Security Scanner

Lab #2 NET332 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,

UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Some Network Commands n Some useful network commands –ping –finger –nslookup –tracert –ipconfig.

Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

NAT、DHCP、Firewall、FTP、Proxy

Linux Security Presenter: Dolev Farhi |

Configuring ALSMS Remote Navigation

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Honeypots at CESNET/MU

Configuration of Cisco Routers in GNS3

Welcome To : Group 1 VC Presentation

Honeypots and Honeynets

Intrusion Detection Systems (IDS)

Firewalls Purpose of a Firewall Characteristic of a firewall

12/6/2018 Honeypot ICT Infrastructure Sashan

Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.

Implementing Firewalls

Presentation transcript:

KFSensor Vs Honeyd Honeypot System Sunil Gurung [60-475] Security and Privacy on the Internet KFSensor Vs Honeyd Honeypot System

Agenda Introduction Honeypot Technology KFSensor Honeyd Features Tests Conclusion

Introduction Good Defence is Good Offence Network security – Firewall, IDS, antivirus. Traditional approach – defensive Today – offensive approach Honeypot solutions

Honeypot Technology “A honeypot is security resource whose value lies in being probed, attacked, or compromised.” - Lance Spitzner we want attackers to probe and exploit the virtual system running emulated services. System no production value, no traffic, most connection probe, attack or compromised. Complements the traditional security tools.

Fig: The basic setup up of the honeypot system. In the figure two KFSensor are configured production honeypots. Figure taken from “ User Manual of KFSensor – Help “

TYPES of ATTACKERS Script Kiddies Amateurs, don’t care about the host Educate the inadequacy of the security policy Blackhat Focus on high value system, more experienced More dangerous and operate silently

Types of Honeypot Low Interaction High Interaction Interaction: level of activity Honeypot allows with attacker Low Interaction Emulated services, easy to deploy and maintain, less risk. Designed to capture only known attack High Interaction Setup real services and provides interaction with OS More information, no assumption made give full open environments. Can use the real honeypot to attack others. Symantec Decoy Server, Honeynet

KFSensor Commercial low interaction honeypot solution Windows OS Preconfigured services: ssh, http, ftp etc Easy configuration and flexible Components of KFSensor Scenarios, Sim Server – standard and banner

Low interaction, open source Developed by Niels Provos of U of M Honeyd Low interaction, open source Developed by Niels Provos of U of M Features: service emulation and IP stack of OS Product Detail Software: honeyd Version: honeyd 0.8 License: open source Download site: http://honeyd.org OS: Windows, Linux, Unix – Solaris

ARPD, Libraries Dependencies Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz Installation ARPD, Libraries Dependencies Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz Honeyd package Installation process: # tar -zvxf libevent-0.8a.tar.gz Compile the libevent: # cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a) #. /configure # make # make install

Major Differences between the two software IP address assignment Listening port OS emulation Open source advantage Financial value

How it works Configuration File Nmap.print & Xprobe2 Script for running the services

Explanation of Configuration file # Example of a simple host template and its binding annotate "AIX 4.0 - 4.2" fragment old create template set template personality "AIX 4.0 - 4.2" add template tcp port 80 open add template tcp port 22 open add template tcp port 23 open set template default tcp action reset bind 192.168.1.80 template

Nmap.print and Xprobe2 # Contributed by Felix Lindner (flindner@gmx.de) Fingerprint AXENT Raptor Firewall running on Windows NT TSeq(Class=TR) T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T2(Resp=N) T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T7(Resp=N) PU(Resp=N)

Test Environment Inside the router 1) University network 2) Home network: putting the honeypot system inside the router [192.168.0.102] Various test performed:

Testing Honeyd IP of honeypot: 192.168.1.122 IP of host running the honeypot: 192.168.1.121 Running ARPD #arpd 192.168.0.0\24 2) Running Honeyd #honeyd –d –f config.sample –p nmap.print –x xprobe2 –l \”Log File” –I 2

Test 1: FTP (KFSensor)

Test 2: FTP honeyd

Other possible test (Network Topology) route entry 10.0.0.1 route 10.0.0.1 link 10.0.0.0/24 route 10.0.0.1 add net 10.1.0.0/16 10.1.0.1 latency 55ms loss 0.1 route 10.0.0.1 add net 10.2.0.0/16 10.2.0.1 latency 20ms loss 0.1 route 10.1.0.1 link 10.1.0.0/24 route 10.2.0.1 link 10.2.0.0/24 create routerone set routerone personality "Cisco 7206 running IOS 11.1(24)" set routerone default tcp action reset add routerone tcp port 23 "scripts/router-telnet.pl" create netbsd set netbsd personality "NetBSD 1.5.2 running on a Commodore Amiga (68040 processor)" set netbsd default tcp action reset add netbsd tcp port 22 proxy $ipsrc:22 add netbsd tcp port 80 "sh scripts/web.sh" bind 10.0.0.1 routerone bind 10.1.0.2 netbsd

Results – take from the abstract $ traceroute -n 10.3.0.10 traceroute to 10.3.0.10 (10.3.0.10), 64 hops max 1 10.0.0.1 0.456 ms 0.193 ms 0.93 ms 2 10.2.0.1 46.799 ms 45.541 ms 51.401 ms 3 10.3.0.1 68.293 ms 69.848 ms 69.878 ms 4 10.3.0.10 79.876 ms 79.798 ms 79.926 ms

Conclusion Both are low interaction Honey with better feature like IP simulation and OS IP stack simulation KFSensor better GUI easy configuration Can not replace the existing system. Work better along with it.