24 September 20031

An Introduction to Honeynets and Intrusion

Protection Systems

James KearneyOct. 25, 2004

24 September 20032

Outline

• What are honeypots/honeynets?

• Some basic implementation techniques

• What is an IPS/basic implementation

• General Comments

• Tie-in to research being done with Scott Miller

24 September 20033

Honeypots

●A machine deployed intentionally to be broken in to.●Deceptive by design●Ideally provides information about penetration attempts against your network

24 September 20034

Honeypots - Design

• Developed by what is now known as The Honeynet Project

• Standardized design, based upon Linux (flexible in terms of distribution)

• Based upon a particular combination of components:

– Firewall

– IDS

– Extensive System Logging

24 September 20035

Honeypots - Implications

• Two classes of Honeypots– Low-Interaction

• Simulated system, many commands/capabilities compared to a normal operating system are impared.

– High-Interaction• Full-blown system, running real servies

– Relative risks?

24 September 20036

Honeynets

• Expand the concept of a simple honeypot to a complete network of honeypots

• Currently in their second generation (the topic of this presentation)– First generation tools somewhat limited in

potential

24 September 20037

Honeynets - Design

• Three major principles:– Data Control

• Firewalls, IPS', bridging, session/rate limiting

– Data Capture• IDS', Sebek (or Termlog)

– Data Analysis• Honey Inspector, Sleuthkit, Sebek (web-interface),

etc...

24 September 20038

Honeynets – Implications

• First-gen honeynets and rate-limiting outgoing connections

• Limited Lifetime– How to restore

• Potential Dangers

24 September 20039

Intrusion Protection Systems

• Affect in real-time the contents of a malicious payload

• Example implementation– IPTables + Snort Inline

24 September 200310

Intrusion Protection Systems

• Use the QUEUE target in IPTables

• Snort Inline picks up the packets, using a modified ruleset (compared to common Snort implementations)

• Potentially makes changes to a given packet– Modify contents to render harmless– Drop packet entirely

24 September 200311

General Comments

• Ease of deployment

• Necessary time/space complexity of honeynets

• Bob's Theorm

24 September 200312

Work with Scott:

• Modified version of a honeynet

• More extensive (or completely new) uses of IPS'

• Employs many techniques based upon the research already done with honeynets

24 September 200313

Questions?

24 September 200314

References

●“Know Your Enemy”, Second Edition. The Honeynet Project. Addison-Wesley, 2004●www.honeynet.org●Security-Focus' Honeypot Mailing List (honeypots@securityfocus.com)●www.snort-inline.sf.net●www.rootsecure.net (variety of articles used)