Transcript first Peer Review

1. Introduction
Goal of this Presentation:
To give a better understanding of the
overview of our project. Such as:






Researches
Project Plans
Customer Expectations
Business Case
Cost Budget
Unsolved Issues, etc
2.0 Project Assumptions and
Objectives

Project Explanation



Track attacks and log their paths
Create a complete package
Background




1990, first concepts of Honeypot by Clifford Stolls
1997, first toolkit released: Fred Cohen’s Deception
Toolkit
Other releases: CyberCop, Back Officer Friendly and
Honeynet Project
“Know Your Enemy”, publications
2.0 Project Assumptions and
Objectives

Scope
Raytheon allows a great deal of freedom
 Add, modify and combine individual
components

Wireless Linksys router
 Honeypot software
 Logging station


Create automatic script for setup
2.0 Project Assumptions and
Objectives

Major Objectives

Modify wireless Linksys router


Modify honeypot open source


Project
Assumptions
Objectives
Add unique
element
to open and
source
Add logging station


Add authentication capability to router
Separate logging from the honeypot to eliminate the chance
of logging being compromised
Hack our system

Try hack our system and then fix and upgrade features
throughout the process
2.0 Project Assumptions and
Objectives

Expectations
Unique modification to honeypot open source
code
 Slow down attacks in real-time to limit their
bandwidth
 Provide a quick and easy setup


Annual Quantity

Raytheon may possibly continue this project
in house and sell it as a package to
customters
3.0 Customer Expectations

Wants and Needs of the customer:
 The wants and needs of the customer are exactly the
results of the effort that our team puts in.


Not usually the norm, but its Raytheon’s only expectation that
we create a working honeypot that shows off our team’s
imagination and innovation.
Relative importance:


Strong research and development into creating a unique
honeypot (priority 1)
Creating a bundled software and hardware product that reflects
our R & D. (priority 2)
3.0 Customer Expectations

Product Specifications

Technical


Performance


Emulation of all the traffic directed through the router as though it
was traveling through the actual production network.
Quality


Creating a functioning honeypot, that can be used on an
infrastructure network and can effectively log and divert intruders
from the production network.
An effective logging system to monitor which parts of the
production network are being attacked.
Overall Goal

Provide a product that slows down an attacker by creating a
simulated network environment, applicable in real world scenarios,
which can log an attacker’s intentions and paths, with the potential
for collecting materials able to be admissible in a court of law .
3.0 Customer Expectations

Measurable Engineering Characteristics
based on customer expectations
Accuracy of logging software
Assumptions andalgorithm
Objectives
 Speed Project
of packet-sniffing
 Size of logged information storage
 Speed & Accuracy of IDS (Intrusion
Detection System)
 Reliability of logged information (Spoofing
detection)

3.0 Customer Expectations

Relationship of product specifications to customer’s
wants and needs:


Difficult to define since the customer in this case is allowing the
product specifications to be their “wants and needs”.
Specifics:



Technical aspect of our product specification is the creation of a
functioning honeypot. (high priority)
The performance of our system should be similar to existing
honeypot and honeynet systems, but different in that ours adds
some innovative and unique designs (which our ad-hoc application
should provide). (medium priority)
The product being created, although not explicitly manufactured for
future retail value, should be a finished product complete with
bundled hardware and software. While this is not a “need” of the
customer, it could potentially be a “want”. (low priority)
4.0 Analysis of Competitive Products
To our knowledge, there are no products that
are similar enough to ours to be considered
competitors. our system is in its own class
because of the features that will be
implemented with it.
4.0 Analysis of Competitive Products
However, we have looked at other products that
have some of our product’s functionalities,
such as:

Symantec Mantrap
monitor intrusions instantly
look and act exactly like full-function servers

Snort
traffic analysis and packet logging on IP networks
5.0 Concept Selection and
Description




Slow down an attack
the honeypot will act as a diversion to provide time to take the
appropriate measures and keep harmful traffic away from the
production network
Simulate a real network environment
create the illusion of a real network so outsiders are none the
wiser
Log incoming and outgoing data
determine vulnerabilities in our own network and prevent
future attacks
Do not interfere with production network
keep honeypot separate to avoid complications with production
network in case the honeypot is compromised
5.0 Concept Selection and
Description
Setup Of A Honeypot:
6.0 Project Plan, Resources,
Schedules

Major Check Points and Deliverables
Setup Network (10/4 - 10/11)
 Comprehensive Plan (10/22 - 11/2)
 Prototypes Plan (10/12 – 10/27)
 Modify Linksys BIOS (10/22 – 11/30)
 Configure dedicated machines for specific use

(11/15 – 12/09)
Project Plan Review (01/3 – 01/10)
 Prototype Results (01/3 – 01/10)

6.0 Project Plan, Resources,
Schedules

Major Check Points and Deliverables (con.)
Stimulate Real World Attacks (01/5 – 02/16)
 Code integration and test/build (02/07 – 02/14)
 Modification to system (02/07 – 02/14)
 Final Packaging and Documentation (02/23 – 03/29)

6.0 Project Plan, Resources,
Schedules

Responsibilities for each member
We are at the point that we feel it’s better to
work as a team
 More specific tasks will be assigned later in the
project to pairs of members as needed.

7.0 Business Case

With industrial espionage and particularly, computer
based industrial espionage on the rise, companies are
all going many steps further to protect their
information. The most commonly seen threat to a
company’s computer network is something as simple
as a virus or worm. While these scripts do cause
slow downs in production and monetary loss, another
threat that is not as often thought about is theft of
intellectual property. The wireless honeypot
appliance is part of a solution to curb the efforts of
outsiders wanting to gain access to our corporate
network, be it for malicious or theft reasons.
7.0 Business Case
Assumptions:
 Internal use only – Not for sale
 Still has (positive) financial impact by
preventing unauthorized information from
being “stolen” from Raytheon.
Estimated Product Cost:



$20,000.00 in R&D
Approximately $100.00 to replicate
All software either developed in-house or
under the GPL license
Support Costs:



Low support costs
“Setup and Go”
Costs may increase if threat is found as a
matter of protection
Return on Investment

As stated before, no actual dollar amount
can be assigned to the value of this
project, however the liability that
Raytheon employees assume will be
greatly decreased.
8. Issues
list of areas in the design that are not too
well understood
• parts, components, subsystem sourcing for
prototypes
• prototype testing
•
List of areas in the design that are
not too well understood






- Flashing the BIOS of the linksys router.
- General knowledge of hacking to simulate an
attack on the honeypot
- Adding to the kernel of a linux operating
system
- Using IDS and logging tools to record
information from attacks
- An understanding of networking in general
(packets, ports, protocols, etc)
- Legal Issues regarding honeypots
Parts, Components, Subsystem
sourcing for prototypes




- Linkysys Wireless Router with Speedbooster
WRT54GS (Speedbooster model provides double
flash memory)
- 3 Computers
 1-Running Honeypot "Usermode Linux, Honeyd"
 2-Running Snort "Logs Activity from Router",
 3-Running System logger "Logs activity in honeypot“
A wireless network to implement our honeypot
system
Other Computers to simulate attacks on the
honeypot
Prototype testing

Evolutionary Prototyping


Build a bicycle first, then build a car
Start with barebone honeypot system
Test
 Implement additions one by one from a list of
prioritized features
 Repeat until features or time run out
