module 09 - bastion host and honeypots

Network Security Administrator

Module IX:

Bastion Host and Honeypots

EC-CouncilCopyright © by EC-Council

All Rights reserved. Reproduction is strictly prohibited

Module Objectives

Introduction to Bastion host

Principles of Bastion hosts

Requirements to set up Bastion host

History of Honeypots

Introduction to Honeypots

Classification of Honeypots by interaction

Introduction and Types of Homemade Honeypots

High-interaction Commercial Honeypot: Mantrap

High-interaction Productive Honeypot: Honeynet

Deployment of Honeynet

Legal issues related to Honeypots



Module Flow

Bastion host

Principles of Bastion hosts Mantrap

Honeypots Deployment of Honeypot

HoneynetRequirements to set up

Bastion host

Homemade Honeypots

Legal issues related to Honeypots

Classification of Honeypots



Bastion Host - Introduction

Acts as a gateway between organizational intranet and outside network

Has an interface on the Internet deliberately exposing it for attacks and probing

Designed and configured to provide a limited range of services to attain security

Used for:

• Packet filtering

• Proxy services



Kinds of Bastion Hosts



Need for a Bastion Host

Minimize the chances of penetration by intruders and attackers

Avoids vulnerability to the transfer of customer data through public FTP servers



Basic Principles for Building a Bastion Host

Provide minimum services with least rights

Prepared to compromise with situation

Locate Bastion host between internal servers and outside network

Administrators should be alerted for attacker’s attempt

On failure of Bastion hosts, internal servers must verify services provided by bastion host



General Requirements to Setup a Bastion Host

General requirements

• Unwanted services must be removed

• Security audit is run to establish a baseline

• Connected to the network

• Uninterrupted power supply

• Appropriate configuration of system and peripherals available

• Sufficient amount of memory and disk space

• Removable boot disk for maintenance

Hardware requirements



UNIX• Advantages:

– Provides variety of tools to create bastion hosts

– Popular in Internet services and provides software for audit and development

• Disadvantages:– Highly time consuming

– Frequent updating is required

Windows

Selecting the OS for the Bastion Host

Windows• Advantages:

– Consistent and widely used as servers

• Disadvantage:– Complex to implement

bastion host

Bastion host supports various operating systems



Positioning the Bastion host

Bastion hosts acts as a check-in gate for outsiders

The major considerations for positioning are:

• Physical location –Appropriate

environmental controls with required physical security

–Must be set up in a locked server cabinet with proper ventilation, cooling and backup power

• Network location–Set on a special network also

known as Demilitarized zone that does not carrying sensitive data

–Avoid to put bastion host on internal networks

–Locate the bastion host on an additional layer known as perimeter network

–Attach packet filtering router



History of Honeypots

1990/1991:• A book named “The Cuckoo’s Egg” by Clifford Stoll

and in “An evening with Berferd” by Bill Cheswick highlighted the concept

1997:• The first version of the Honeypot solution was

released in the deception toolkit by Fred Cohen1998:

• CyberCop Sting became the first commercial honeypot developed by Alfred Huger

2000/2001:• Honeypots were used to capture and study worm

activity study2002:

• Honeypots were used to detect new and unknown attacks like that of Solaris dtspcd



Introduction to Honeypots

Deception Tool Kit (DTK) is the first honeypot solution built by Fred Cohen

According to Lance Spitzner, “A honeypot is security resource whose value lies in being compromised.”

Not restricted to a single goal

• Functionality includes security mechanisms such as IDS, Antivirus

Prevents, detects, responds to attacks depending on interaction level



Advantages and Disadvantages of a Honeypots

• Collects less amount of data but of high value

• Reduces false positives• Catches new attacks, reduces false

negatives• Simple concept requiring minimal

resources

• Limited field of view (microscope)

• Fingerprinting

• Risk (mainly high-interaction honeypots)

Disadvantages:

Advantages:



How to Select a Honeypots?

Interaction Level• Risk factor increases with interaction level increase

Commercial Vs Homemade• Commercial honeypots provide efficient functionality

• Homemade honeypots provide customized solution

Platform• Determines the performance and effectiveness of the honeypot



Production Honeypots

Used to maintain the security of the system

To maintain the security, it is categorized into three:

• Prevention

• Detection

• Response



Research Honeypots

Value is in providing attack information

Advantages of Research Honeypot:

• Captures automated attacks from worms and auto-rooters

• Alerts potential threats

• Captures and detects unknown tools and techniques

• Provides information of tools used, attack methods, and motives of the attacker



Classification by Interaction

Level of interaction helps in:• Calculating and measuring the extent of threat• Gathering the information about the threat

Honeypots are classified into three based on interaction

Low-Interaction HoneypotsLow-Interaction Honeypots

Medium-Interaction HoneypotsMedium-Interaction Honeypots

High-Interaction HoneypotsHigh-Interaction Honeypots



Low-Interaction Honeypots

Basic function is to detect unauthorized attacks and system scans

Easy to build, configure and deploy

Basic details of attack that can be captured:

• Time and Date

• Source, Destination IPs, ports

Known attacks can only be detected



Medium-Interaction Honeypots

Provides virtual environment to mislead the attacker

Captures payload due to worms

Consumes time to build, install and configure

Enhanced functionality increases complexity and risk

Provides details such as IRC chat of intruders



High-Interaction Honeypots

Provides in-depth attack information such as keystrokes and conversations

Allows attacker to access real operating system and compromise

Placed behind a firewall, to avoid attacks

Complex functionality requires more time to build, deploy and configure

Prevents compromised systems to attack others services



Homemade Honeypots

Created using familiar tools with flexibility to add desired functionality

Designed to meet specific security concerns

CagedPort monitoring

Homemade Honeypots



Homemade Honeypots: Port-Monitoring Honeypots

Creates an open socket, which listens to the port, identifies, captures and logs the connection attempts

Value lies in detecting, capturing and research

Logs of attack information are used to research and learn the intruder activities

Limits attacker to access few functionalities

Use of insecure environment compromises the system



Homemade Honeypots:Jailed Environment

Medium interaction honeypots

Services are placed inside jails confine attacks to that jail

Allows the intruder to attack, but not to compromise the services

Used as research and production honeypots

Collects data using logs and utilities

Services in jails are exposed to threats



ManTrap

High-interaction commercial honeypot that provides intruder with functionality of real operating system

Value is in prevention, detection, responding and research

Detects attacks on ports which is not listening using passive sniffer

Captures details of attack at network level

Restricted to use on Solaris platform



Honeypots

Commercial Honeypots• KFSensor• NetBait• ManTrap• Specter

Open Source Honeypots• Jackpot • BackOfficer Friendly• Bait-n-Switch • Bigeye • HoneyWeb• Deception Toolkit

• LaBrea Tarpit• Honeyd• Honeynets • Tiny Honeypot

Commercial and open source Honeypots available on the Internet



Honeypot-The Deception ToolKit

A generic interface that listen ports and process incoming requests

Sends sensible responses to deceive

Maintain log files and checks input to the system



Honeypot-Jackpot

SMTP relay honeypot developed in Java

Accepts incoming Internet mail messages and relays selective messages

Detains spam data as a collection of web-pages

Executes proxy-tests on hosts that connect to TCP port 25

Supports tarpit facility

INCOMIN

G

OU

T GO

ING



Honeynet

High-interaction productive honeypots

Placed behind firewalls to prevent attacking other systems

Value is in research, as they provide in-depth details of intruder activities

Detects unique traffic

Identifies attack strategy and undiscovered tools



Working of Honeynet

Network of highly controlled systems in which services and systems are placed

Architecture is built to:

• Control data:

– Minimizes risk of compromise

• Capture data:

– To identify attack strategy

• Collect data:

– To correlate attack details from various networks



The Honeynet Project

Voluntary organization of the security professionals without anymotive for earning profits

Fully dedicated to help on security related features

Honeynet Project have following four phases

• Phase I

• Phase II

• Phase III

• Phase IV



The Honeynet Project



Where to Place Honeypot?

Placed where there is maximum riskDeployment in risk areas as DMZ increases its valuePlacement for Detection:• Behind security parameter

Placement for Response:• Within security parameter

Placement for Research:• Behind firewall



Legal Issues Related to Honeypots

No direct mention of security issues of honeypots in the U.S law, but statutes regarding same are mentioned in federal level

Issues:

• Privacy:

– Ensures that privacy is not exploited

• Entrapment:

– Enforcing a person to commit crime and be caught

• Liability:

– Actual responsibility of honeypot in discovering threats



Summary

Bastion host acts as a gateway between organizational intranet and outside network The honeypots are classified into three based oninteraction

A honeypot is security resource whose value lies in being compromised

Mantrap is high-interaction commercial honeypot that provides intruder with functionality of real operating system

Jackpot is a SMTP relay honeypot developed in Java

Honeynets are high-interaction productive honeypots

Honeypot Project is a Voluntary organization of the security professionals without any motive for earning profits

module 09 - bastion host and honeypots

Documents

bastion hostminimize

eccouncilall rights

bastion hostbastion

situationlocate bastion

bastion hostwindows

internet services

internal servers

security audit