Transcript Kf - University of Windsor

Sunil Gurung
[60-475] Security and Privacy on the Internet
KFSensor
Honeypot and Intrusion Detection System
Agenda
• Introduction
• Honeypot Technology
• KFSensor
• Components of KFSensor
• Features
• Tests
• Conclusion
Introduction
• Increasing security threats with proliferation of
internet
• Network security – Firewall, IDS, antivirus.
• Traditional approach – defensive
• Today – offensive approach
• Honeypot
Honeypot Technology
• “A honeypot is security resource whose value lies in
being probed, attacked, or compromised.” - Lance
Spitzner
• we want attackers to probe and exploit the virtual
system running emulated services.
• System no production value, no traffic, most
connection probe, attack or compromised.
• Complements the traditional security tools.
Fig:
The basic setup
up of the honeypot
system. In the
figure two
KFSensor are
configured
production
honeypots.
Figure taken from “
User Manual of
KFSensor – Help “
Advantages and Disadvantages
• Collects small set of data
• New techniques and tools (A)
• Minimal resources (A)
• Information (A)
• Simplicity (A)
• Limited View: Can’t capture attacks against
other system (D)
• Risk : taken over by the bad guys (D)
Types of Honeypot
Interaction: level of activity Honeypot allows with attacker
• Low Interaction
Emulated services, easy to deploy and maintain, less risk.
Designed to capture only known attack
• High Interaction
Setup real services and provides interaction with OS
More information, no assumption made give full open environments.
Can use the real honeypot to attack others.
KFSensor
• Commercial low interaction honeypot solution
• Windows OS
• Preconfigured services: ssh, http, ftp etc
• Easy configuration and flexible
Product detail:
Software: KFSensor
Version: 2.2.1
License: Evaluation (14 days trial)
Vendor: Key Focus
Downloaded Site: http://www.keyfocus.net/kfsensor/
Installations
•
•
•
•
•
Download the application from the website
Initial wizard setup: Naming the domain, Email, Alerts
To install login as ADMINISTRATOR
C:\kfsensor\logs – XML files
Running the KFSensor server – as daemon – windows
service. [kfsnserve.exe]
• Open up the KFSensor monitor - GUI
Components of KFSensor
KFSensor Server
Performs core functionality, outsider interact with
The server, doesn’t have the GUI.
KFSensor Monitor
Interprets all the data and alerts captured by server in
graphical form.
Features
• File Menu
Export [HTML, XML, TSV or CSV ], Service
• View Menu
Ports View, Visitors View
• Editing Scenarios
Editing Listens, Edit Rules, Sim Server
Editing Scenario
Editing Listens
Listen On:
Name : Identifies the listen when connection is made to the particular
specification
Protocol: Choice between UDP or TCP
Port
Bind Address: Should specify the IP address it binds too.
Action:
Action Type: The action to performed once the connection is made by
the outsider
Severity: define the level of severity generated by the event to alert the
admin.
Time out : value in second for server to wait until it closes the
connection
Sim Name: To specify the Sim Server.
Edit Rule
Sim Server
• Sim Banner
• Sim Standard Server
DOS attack configuration
Other FEATURES
•Email Alerts
•Log Database
Test Environment
•
•
Inside the router
Outside of router
1) University network [IP address: 137.207.238.113 – Sunil.uwindsor.ca]
2) Home network: putting the honeypot system inside the router [192.168.0.102]
3) Direct connection to internet through [24.57.84.215]
4) Tested on local machine [127.0.0.1]
Various test performed:
Test 1: FTP emulation
Test 2: SMTP
• Test 3: Other Test (Threats and Viruses)
Sasser worm: TCP port 5554
Attacks from:
1) IP 1: 218.253.9.215 – cm218-253-9-215.hkcable.com.hk
2) Toronto-HSE ppp3864532.sympatico.ca
Test 3 -Cont
IIS, Dameware, MyDoom attacks
IIS – Web Server, the KFSensor can emulate highly interactive service.
Dameware – is a remote control application similar to VNC. Recently hackers use
found its vulnerability in buffer overflow and have access to put their code.
This threat uses port 6129.
MyDoom – It’s a DDOS attack listen on port TCP 3127 and install a back door on the
infected system.
Test 3 - Cont
LoveGate Worm
LoveGate worm infects the system through port 20168
Port Scanning
Conclusion
• Good user interface.
• Easy to configure emulation services
• Flexible
• Minimal risk
• Limited to only minimal transactions
Honeypot
Can not replace the existing system. Work better
along with it.