1 HoneyNets, Intrusion Detection Systems, and Network Forensics.

Slides:



Advertisements
Similar presentations
F3 Collecting Network Based Evidence (NBE)
Advertisements

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Guide to Network Defense and Countermeasures Second Edition
System and Network Security Practices COEN 351 E-Commerce Security.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Intrusion Detection Chapter 12.
COEN 252 Computer Forensics
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
What is FORENSICS? Why do we need Network Forensics?
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Honeypot and Intrusion Detection System
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Windows 7 Firewall.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
Linux Networking and Security
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Security fundamentals Topic 13 Detecting and responding to incidents.
Cryptography and Network Security Sixth Edition by William Stallings.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
IDS Intrusion Detection Systems
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Firewalls.
Intrusion Detection system
Presentation transcript:

1 HoneyNets, Intrusion Detection Systems, and Network Forensics

ECE 4112-Internetwork Security2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of the Georgia Tech Campus Network Current Vulnerabilities on the Internet Current Tools to Protect Networks  Firewalls  Intrusion Detection Systems (IDS)

ECE 4112-Internetwork Security3 Shortcomings Associated with Firewalls 1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability. 2. The firewall at the network interface does not protect against internal threats. 3. The firewall cannot protect against the transfer of virus–laden files and programs

ECE 4112-Internetwork Security4 Shortcomings Associated with Intrusion Detection Systems 1.Increase Complexity of Security Management of Network 2.High Level of False Positive and False Negative Alerts 3.Must Know Signature or Anomoly Detection Pattern

ECE 4112-Internetwork Security5 Definition of a Honeynet Network Established Behind a Reverse Firewall Captures All In-Bound and Out-Bound Traffic Any Type of System Network is Intended To Be Compromised All Honeynet traffic is suspicious

ECE 4112-Internetwork Security6 Data Capture and Data Control Data Capture  Collect all information entering and leaving the Honeynet covertly for future analysis Data Control  Covertly protect other networks from being attacked and compromised by computers on the Honeynet

ECE 4112-Internetwork Security7 Generation I vs. Generation II GEN I Honeynet  Simple Methodology, Limited Capability  Highly effective at detecting automated attacks  Use Reverse Firewall for Data Control  Can be fingerprinted by a skilled hacker  Runs at OSI Layer 3 GEN II Honeynet  More Complex to Deploy and Maintain  Examine Outbound Data and make determination to block, pass, or modify data  Runs at OSI Layer 2

ECE 4112-Internetwork Security8 Georgia Tech Campus Network Students, 5000 Staff, 69 Departments networked computers on campus Average data throughput 600Mbps/4 terabytes per day NO FIREWALL BETWEEN CAMPUS & INTERNET!  Why? Requirement for Academic Freedom, high throughput  However, individual enclaves within Georgia Tech use firewalls IDS is run at campus gateway  Out of band monitoring and follow-on investigation

ECE 4112-Internetwork Security9 Establishment of the Honeynet on the Georgia Tech Campus Established in Summer of 2002 Uses Open Source Software Initially Established As One Honeynet Machine behind the firewall IP Address Range Provided by Georgia Tech Office of Information Technology (OIT)

ECE 4112-Internetwork Security10 Georgia Tech Honeynet

ECE 4112-Internetwork Security11 Hardware and Software No Requirement for State of the Art Equipment (Surplus Equipment) No Production Systems Minimum Traffic Use Open Source Software (SNORT, Ethereal, MySQL DB, ACID) Use Reverse Firewall Script Developed by Honeynet.org

ECE 4112-Internetwork Security12 Intrusion Detection System Used with HoneyNet SNORT  Open Source  Signature-Based, with Anomaly-Based Plug-in Available  Can Write Customized Signatures Run Two Separate SNORT Sessions  One Session to Check Against Signature Database  One Session to Capture All Inbound/Outbound Traffic

ECE 4112-Internetwork Security13 Analysis Console for Intrusion Detection (ACID)

ECE 4112-Internetwork Security14 Logging and Review of Data Honeynet Data is stored in two separate locations  Alert Data is stored in SQL database  Packet Capture Data is stored in a daily archive file Data Analysis is a time consuming process In our Experience:  One hour/day to analyze traffic  One hour of attack traffic can result up to one week of analysis

ECE 4112-Internetwork Security15 Ethereal Analysis Tool

ECE 4112-Internetwork Security16 Exploitations Detected on the Georgia Tech Honeynet 36 possible exploited machines have been detected at Georgia Tech in previous 9 months (through June 2003) A report is made to OIT on each suspected compromise

ECE 4112-Internetwork Security17 Identification of a System with a Compromised Password Previously Compromised Honeynet Computer Continued to Operate as Warez Server Another Georgia Tech Computer Connected to the Warez Server Investigation Revealed that Password had been Compromised on Second Georgia Tech Computer

ECE 4112-Internetwork Security18 Detection of Worm Type Exploits GEN I Honeynet Well-Suited to Detect Worm Type Exploits  Repeated Scans targeting specific ports  Analyze captured data for time lapses Ability to Deploy Specific Operating System on Honeynet

ECE 4112-Internetwork Security19 Exploitation Pattern of Typical Internet Worm Target Vulnerabilities on Specific Operating Systems Localized Scanning to Propagate (Code Red)  3/8 of time within same /16 network  1/2 of time within same /8 network  1/8 of time random address Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts

ECE 4112-Internetwork Security20 Georgia Tech Honeynet Gen II

ECE 4112-Internetwork Security21 Initial Observations of Gen II Honeynet Configuration is more complex than Gen I Must use variants of Linux 2.4 kernel in order to run Sebek keystroke logger capability Data must continue to be monitored on a daily basis

ECE 4112-Internetwork Security22 Honeynet Portscan Activity Date Public: 7/24/02 Date Attack: 1/25/03

ECE 4112-Internetwork Security23 Honeynet Portscan Activity Date Public: 7/16/03 Date Attack: 8/11/03

ECE 4112-Internetwork Security24 Honeynet Portscan Activity Date Public: 8/15/2003 Date Attack: 8/22/03

ECE 4112-Internetwork Security25 Conclusions on HoneyNets Honeynet Assists in Maintaining Network Security Provides Platform for Research in Information Assurance and Intrusion Detection

ECE 4112-Internetwork Security26 IDS - Purpose Misuse detection Anomaly detection Conduct forensics Network traffic recording and analysis Intellectual property protection

ECE 4112-Internetwork Security27 IDS Strategies Signature-based (misuse detection)  pattern matching  cannot detect new attacks  low false positive rate Anomaly-based (statistical-based)  activity monitoring  has the ability to detect new attacks  higher false positive rate

ECE 4112-Internetwork Security28 IDS Deployment Network-based  Inspect network traffic  Monitor user activity (packet data) Host-based  Inspect local network activity  OS audit functionality  Monitor user activity (function calls)

ECE 4112-Internetwork Security29 Example IDS:Snort Sniffer Packet logger IDS

ECE 4112-Internetwork Security30 Snort Rules Example 1: “log tcp traffic from any port going to ports less than or equal to 6000” log tcp any any -> /24 :6000 Example 2: RPC alert call alert tcp any any -> / (rpc: , *,3; msg:RPC getport (TCP);) see Snort Users Manual for more information

ECE 4112-Internetwork Security31 Defeating the IDS Encryption Insertion/evasion attacks (requires complete reassembly of packets and knowledge of end system exception handling) DoS attack (CPU, memory, bandwidth, false positives)

ECE 4112-Internetwork Security32 Signs of Intrusion Unaccountable disk utilization Unaccountable file system modification Unaccountable CPU utilization Network saturation Unknown process using sockets Abnormal network/system activity

ECE 4112-Internetwork Security33 Forensics After the attack Obtain:  Attacker(s) IP(s)  Time of attack  Victim IP, OS, and targeted service  Attacker’s activity  Attacker’s objective  Damage assessment

ECE 4112-Internetwork Security34 Forensic Guidance Photograph complete system Take detailed notes ID and secure all compromised systems Preserve evidence (UNIX)  who (who logged on)  ls (list of files)  ps (list of processes)  lsof (open file handles)  find (modified files)

ECE 4112-Internetwork Security35 Forensic Guidance System operations can lie (rootkits) Retain a provable chain of custody for evidence Make bit-image copy of hard drive and verify it Analyze

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.