honeypots and honeynets

Honeypots and HoneynetsHoneypots and HoneynetsSource: The HoneyNet Project http://www.honeynet.org/

Mehedi Masud

September 19, 2007Lecture #12

Why HoneyPotsWhy HoneyPots A great deal of the security profession

and the IT world depend on honeypots. Honeypots◦ Build anti-virus signatures.◦ Build SPAM signatures and filters.◦ ISP’s identify compromised systems.◦ Assist law-enforcement to track criminals.◦ Hunt and shutdown botnets.◦ Malware collection and analysis.

What are HoneypotsWhat are HoneypotsHoneypots are real or emulated

vulnerable systems ready to be attacked.

Primary value of honeypots is to collect information.

This information is used to better identify, understand and protect against threats.

Honeypots add little direct value to protecting your network.

Types of HoneyPotTypes of HoneyPotServer: Put the honeypot on the

Internet and let the bad guys come to you.

Client: Honeypot initiates and interacts with servers

Other: Proxies

Types of HoneyPotTypes of HoneyPotLow-interaction

◦ Emulates services, applications, and OS’s.◦ Low risk and easy to deploy/maintain, but

capture limited information.

High-interaction◦ Real services, applications, and OS’s◦ Capture extensive information, but high

risk and time intensive to maintain.

Examples Of HoneypotsExamples Of Honeypots

BackOfficer FriendlyKFSensorHoneydHoneynets

Low Interaction

High Interaction

HoneynetsHoneynetsHigh-interaction honeypot designed to

capture in-depth information.Information has different value to

different organizations.Its an architecture you populate with

live systems, not a product or software.

Any traffic entering or leaving is suspect.

How It WorksHow It Works A highly controlled network where

every packet entering or leaving is monitored, captured, and analyzed.◦ Data Control◦ Data Capture◦ Data Analysis

Honeynet ArchitectureHoneynet Architecture

Data ControlData Control• Mitigate risk of honeynet being used to

harm non-honeynet systems.• Count outbound connections.• IPS (Snort-Inline)• Bandwidth Throttling

No Data ControlNo Data Control

Internet

No Restrictions

No Restrictions

Honeypot

Honeypot

Data ControlData Control

Internet

Honeywall

Honeypot

Honeypot

No Restrictions

Connections Limited Packet Scrubbed

Data CaptureData CaptureCapture all activity at a variety of

levels.Network activity.Application activity.System activity.

SebekSebekHidden kernel module that

captures all host activityDumps activity to the network.Attacker cannot sniff any traffic

based on magic number and dst port.

Sebek ArchitectureSebek Architecture

Honeywall CDROMHoneywall CDROMAttempt to combine all

requirements of a Honeywall onto a single, bootable CDROM.

May, 2003 - Released EeyoreMay, 2005 - Released Roo

Roo Honeywall CDROMRoo Honeywall CDROMBased on Fedora Core 3Vastly improved hardware and

international support.Automated, headless installationNew Walleye interface for web based

administration and data analysis.Automated system updating.

InstallationInstallationJust insert CDROM and boot, it installs

to local hard drive.After it reboots for the first time, it

runs a hardening script based on NIST and CIS security standards.

Following installation, you get a command prompt and system is ready to configure.

Further InformationFurther Informationhttp://www.honeynet.org/http://www.honeynet.org/book