Transcript project presentation - Networked Software Systems Laboratory

Intrusion Prevention System
DYNAMIC HONEYNET
by
Rosenfeld Asaf
advisor
Uritzky Max
Intrusion Prevention System
• A device that monitors Network and/or
System Activities.
• Can react in real time to block or prevent
these activities.
• Located inline with other network
resources.
• Active approach – find attack before it is
unleashed on naïve hosts (honeypot)
HONEYPOT
• Technical Situation - intended to lure a
hacker, make him miss the “target at risk”
and even get caught
• Inspired by Winnie the Pooh.
HONEYPOT
Advantages
• Small data sets – need to monitor only
anomalies in Honeypot, not entire
organization network.
• Catching false negatives – a Honeypot
can easily detect new attacks.
• Minimal resources – any PC will do.
HONEYPOT
Types
• Low Interaction
– Emulates services, applications, and OS’s.
– Low risk and easy to deploy/maintain, but
capture limited information.
• High Interaction
– Real services, applications, and OS’s
– Capture extensive information, but high risk
and time intensive to maintain.
DYNAMIC HONEYNET
• High-interaction honeypot designed to
capture in-depth information.
• Its an architecture you populate with live
systems, not a product or software.
• Each member actively searches for threats,
thus PREVENTING attacks, rather than
DETECTING them.
DYNAMIC HONEYNET
`
`
`
`
SLAB-W01
SLAB-W02
SLAB-W03
SLAB-W04
INTERNET
SLAB-ROUTER
SLAB-SWITCH
`
HONEYPOT
SLAB-W10
`
HONEYPOT
SLAB-W11
`
HONEYPOT
SLAB-W12
`
HONEYPOT
SLAB-W12
ARCHITECTURE
• Client-Server topology
• Clients use Actual IE in controlled environment
• .Net Remoting (Reporting system, and RPC)
• Data management over SQL Server
• Administrative tools (Data export, and client
control from server)
• GUI control
IPS CLIENT
• Controls an IE Object.
• Imitates user behavior – page parsing
and traversing the WEB.
• Has a unified diagnostics interface –
can add more diagnostic types.
• Reports to a server of its status and
whereabouts (.NET Remoting).
IPS CLIENT
Display
client
current site,
status and
statistics
End button
Server
name
input
Diagnosers
check
boxes
Start button
IPS CLIENT
Dispatcher
IE_interface
1
1
1
1
GUI
1
ServerRemoteIF
1
1
1
1
1..*
ClientRemoteIF
fs_checker
«interface»
Diagnoser
cpu_checker
mem_checker
IPS SERVER
• Controls Clients (.NET Remoting)
• Registers Clients reports in remote
SQL database.
• Exports reports from database to HTML
format.
IPS SERVER
Client with
OK status
Clients with
ERROR
status
Export
database as
html file
START/END
server work
Clear the
database
Kills client by
name
IPS SERVER
Dispatcher
1
1
1
1
GUI
1
ServerRemoteIF
1
1
0..*
ClientRemoteIF
1
DBIF
+addClientEntry()
+removeClientEntry()
+getOKClients()
+getErrorClients()
+getAllClients()
1
DataExport
TOPOLOGY
IPS-SERVER
(optinal)
`
`
`
`
SLAB-W01
SLAB-W02
SLAB-W03
SLAB-W04
INTERNET
SLAB-ROUTER
SLAB-SWITCH
`
IPS-CLIENT
SLAB-W10
`
IPS-CLIENT
SLAB-W11
IPS-SERVER
(optinal)
`
IPS-CLIENT
SLAB-W12
IPS-SERVER
SLAB-W12
SLAB-SQL