Transcript www.homepages.dsu.edu

HoneyD (Part 2)
Small Business NIDS
This presentation demonstrates the
ability for Small Businesses to
emulate virtual operating systems
and conduct intrusion detection of
incoming network traffic. Most small
businesses look at cost as a primary
factor when implementing a
computer network.
This factor influenced our decision
to look for a turn-key solution that
was open source and freely available
to use with little or no cost to the
user.
Why Snort & HoneyD?
Honey this, Honey that!
HoneyD functions
Known Issues
Snort + HoneyD = Low Cost NIDS solution
Empowers Small Businesses to
secure network assets and resources
at very low costs.
Simple to setup and operate.
Several application configurations
are available and customizable
according to user requirements.
HoneyD defined:
1.
Open Source software
framework (It’s free!).
2.
Derived from the Honeynet
project in 1999.
3.
Originally developed by Dr. Neil
Provos.
4.
Large community of support.
5.
Emulates various virtual
Operating Systems (OS) called
virtual Honeypots.
www.honeyd.org/phpBB2/
www.linuxforums.org/forum/linux-security
www.backtrack-linux.org/forums/
Let’s clarify all this honey terminology.
Honeypot:
A security resource whose value value lies
in being probed, attacked, or compromised
HONEYD
High-Interaction Honeypot:
Uses real OS or service like File Transfer
Protocol or Web Server.
Low-Interaction Honeypot:
Emulates OS or service
HoneyFarm:
High
Interaction
HONEYPOT
HONEYFARM
Centralized architecture of Honeypots &
Analysis tools.
Honeynet:
One or more High-interaction Honeypots
HoneyD:
One or more Low-interaction Honeypots
Low
Interaction
HONEYPOT
HONEYNET
HoneyD
1.
Monitors unused IP addresses
2.
Detects Attacker probes on
unused IP and takes over IP via
ARP spoofing.
3.
Creates and routes attacker to
virtual Honeypot.
4.
Creates multiple honeypots that
fool attacker sinto believing
they are interacting with hacked
system.
HoneyD - main features
FEATURE
DESCRIPTION
Simulation of thousands of
Simultaneous interaction with a multitude of various
virtual hosts
virtual honeypots exhibiting different behaviors.
Configuration of arbitrary
Responds to network connections and provides for
services
interaction with attackers such as passive fingerprinting.
Simulation of various OS at the Feature increases realism of emulation by deceiving
TCP/IP stack level
attacker fingerprinting tools like Nmap and Xprobe.
Simulation of arbitrary routing
Topologies can be simulated with latency, packet loss, and
topologies
various bandwidth characteristics.
Subsystem virtualization
Examples: Web servers, FTP Servers, Email Servers.
Example Network Configuration
Example of a fully
integrated network
utilizing a HoneyD
computer, virtual
Honeypots, and real
systems.
Known Issues
SYSTRACE
•Naturally vulnerable to
sophisticated attackers.
•Requires additional software to
ensure security and provide tools for
analysis.
•Configuration needs might require
• Sandbox to prevent exploitation of
Honeypots (i.e. bugs, mistakes in
the setup)
HoneyComb
• Provides an interface between
HoneyD and Snort.
monitoring of network activity
which increases cost of labor.
Snort
•Since HoneyD is classified as low-
• Packet Sniffer.
interaction, only limited amounts of
information can be collected on
attacker.
ACID for Snort
• Provides a user friendly GUI for
analysis purposes.
SUMMARY
MAIN POINTS TO REMEMBER
In this presentation, we covered the
following topics:
Open Source = low cost.
•Why we chose Snort & HoneyD NIDS solution
•Clarified HoneyD & related terminology
•Explained how HoneyD functions.
•Explain known issues.
Inherently vulnerable to attacks but
Large community of support.
simple to setup and operate.
Should be installed on a secure
network to prevent exploitation.
Allows for network intrusions to be
easily detected.
In addition to HoneyD & Snort,
ensure you install the following
software to help with analysis and
security tasks: Systrace, Honeycomb,
ACID