an introduction to honeynets and intrusion protection systems james kearney oct. 25, 2004
DESCRIPTION
An Introduction to Honeynets and Intrusion Protection Systems James Kearney Oct. 25, 2004. Outline. What are honeypots/honeynets? Some basic implementation techniques What is an IPS/basic implementation General Comments Tie-in to research being done with Scott Miller. - PowerPoint PPT PresentationTRANSCRIPT
24 September 20031
An Introduction to Honeynets and Intrusion
Protection Systems
James KearneyOct. 25, 2004
24 September 20032
Outline
• What are honeypots/honeynets?
• Some basic implementation techniques
• What is an IPS/basic implementation
• General Comments
• Tie-in to research being done with Scott Miller
24 September 20033
Honeypots
●A machine deployed intentionally to be broken in to.●Deceptive by design●Ideally provides information about penetration attempts against your network
24 September 20034
Honeypots - Design
• Developed by what is now known as The Honeynet Project
• Standardized design, based upon Linux (flexible in terms of distribution)
• Based upon a particular combination of components:
– Firewall
– IDS
– Extensive System Logging
24 September 20035
Honeypots - Implications
• Two classes of Honeypots– Low-Interaction
• Simulated system, many commands/capabilities compared to a normal operating system are impared.
– High-Interaction• Full-blown system, running real servies
– Relative risks?
24 September 20036
Honeynets
• Expand the concept of a simple honeypot to a complete network of honeypots
• Currently in their second generation (the topic of this presentation)– First generation tools somewhat limited in
potential
24 September 20037
Honeynets - Design
• Three major principles:– Data Control
• Firewalls, IPS', bridging, session/rate limiting
– Data Capture• IDS', Sebek (or Termlog)
– Data Analysis• Honey Inspector, Sleuthkit, Sebek (web-interface),
etc...
24 September 20038
Honeynets – Implications
• First-gen honeynets and rate-limiting outgoing connections
• Limited Lifetime– How to restore
• Potential Dangers
24 September 20039
Intrusion Protection Systems
• Affect in real-time the contents of a malicious payload
• Example implementation– IPTables + Snort Inline
24 September 200310
Intrusion Protection Systems
• Use the QUEUE target in IPTables
• Snort Inline picks up the packets, using a modified ruleset (compared to common Snort implementations)
• Potentially makes changes to a given packet– Modify contents to render harmless– Drop packet entirely
24 September 200311
General Comments
• Ease of deployment
• Necessary time/space complexity of honeynets
• Bob's Theorm
24 September 200312
Work with Scott:
• Modified version of a honeynet
• More extensive (or completely new) uses of IPS'
• Employs many techniques based upon the research already done with honeynets
24 September 200313
Questions?
24 September 200314
References
●“Know Your Enemy”, Second Edition. The Honeynet Project. Addison-Wesley, 2004●www.honeynet.org●Security-Focus' Honeypot Mailing List ([email protected])●www.snort-inline.sf.net●www.rootsecure.net (variety of articles used)