Download - An Introduction to Honeynets and Intrusion Protection Systems James Kearney Oct. 25, 2004
24 September 20031
An Introduction to Honeynets and Intrusion
Protection Systems
James KearneyOct. 25, 2004
24 September 20032
Outline
• What are honeypots/honeynets?
• Some basic implementation techniques
• What is an IPS/basic implementation
• General Comments
• Tie-in to research being done with Scott Miller
24 September 20033
Honeypots
●A machine deployed intentionally to be broken in to.●Deceptive by design●Ideally provides information about penetration attempts against your network
24 September 20034
Honeypots - Design
• Developed by what is now known as The Honeynet Project
• Standardized design, based upon Linux (flexible in terms of distribution)
• Based upon a particular combination of components:
– Firewall
– IDS
– Extensive System Logging
24 September 20035
Honeypots - Implications
• Two classes of Honeypots– Low-Interaction
• Simulated system, many commands/capabilities compared to a normal operating system are impared.
– High-Interaction• Full-blown system, running real servies
– Relative risks?
24 September 20036
Honeynets
• Expand the concept of a simple honeypot to a complete network of honeypots
• Currently in their second generation (the topic of this presentation)– First generation tools somewhat limited in
potential
24 September 20037
Honeynets - Design
• Three major principles:– Data Control
• Firewalls, IPS', bridging, session/rate limiting
– Data Capture• IDS', Sebek (or Termlog)
– Data Analysis• Honey Inspector, Sleuthkit, Sebek (web-interface),
etc...
24 September 20038
Honeynets – Implications
• First-gen honeynets and rate-limiting outgoing connections
• Limited Lifetime– How to restore
• Potential Dangers
24 September 20039
Intrusion Protection Systems
• Affect in real-time the contents of a malicious payload
• Example implementation– IPTables + Snort Inline
24 September 200310
Intrusion Protection Systems
• Use the QUEUE target in IPTables
• Snort Inline picks up the packets, using a modified ruleset (compared to common Snort implementations)
• Potentially makes changes to a given packet– Modify contents to render harmless– Drop packet entirely
24 September 200311
General Comments
• Ease of deployment
• Necessary time/space complexity of honeynets
• Bob's Theorm
24 September 200312
Work with Scott:
• Modified version of a honeynet
• More extensive (or completely new) uses of IPS'
• Employs many techniques based upon the research already done with honeynets
24 September 200313
Questions?
24 September 200314
References
●“Know Your Enemy”, Second Edition. The Honeynet Project. Addison-Wesley, 2004●www.honeynet.org●Security-Focus' Honeypot Mailing List ([email protected])●www.snort-inline.sf.net●www.rootsecure.net (variety of articles used)