Transcript History - ECE Users Pages

HoneyNets
1
Introduction
•
•
•
•
Definition of a Honeynet
Concept of Data Capture and Data Control
Generation I vs. Generation II Honeynets
Description of the Georgia Tech Campus
Network
• Current Vulnerabilities on the Internet
2
Shortcomings Associated with
Firewalls
1. The firewall cannot protect against attacks that
bypass it, such as a dial–in or dial-out
capability.
2. The firewall at the network interface does not
protect against internal threats.
3. The firewall cannot protect against the
transfer of virus–laden files and programs
3
Shortcomings Associated with
Intrusion Detection Systems
1. Increase Complexity of Security
Management of Network
2. High Level of False Positive and False
Negative Alerts
3. Must Know Signature or Anomoly Detection
Pattern
4
Definition of a Honeynet
• Network Established Behind a Reverse
Firewall
• Captures All In-Bound and Out-Bound Traffic
• Any Type of System
• Network is Intended To Be Compromised
• All Honeynet traffic is suspicious
5
Data Capture and Data Control
• Data Capture
 Collect all information entering and leaving the
Honeynet covertly for future analysis
• Data Control
 Covertly protect other networks from being
attacked and compromised by computers on the
Honeynet
6
Generation I vs. Generation II
• GEN I Honeynet





Simple Methodology, Limited Capability
Highly effective at detecting automated attacks
Use Reverse Firewall for Data Control
Can be fingerprinted by a skilled hacker
Runs at OSI Layer 3
• GEN II Honeynet
 More Complex to Deploy and Maintain
 Examine Outbound Data and make determination to block,
pass, or modify data
 Runs at OSI Layer 2
7
Georgia Tech Campus Network
• 15000 Students, 5000 Staff, 69 Departments
• 30000-35000 networked computers on campus
• Average data throughput 600Mbps/4 terabytes per
day
• NO FIREWALL BETWEEN CAMPUS &
INTERNET!
 Why? Requirement for Academic Freedom, high
throughput
 However, individual enclaves within Georgia Tech use
firewalls
• IDS is run at campus gateway
 Out of band monitoring and follow-on investigation
8
Establishment of the Honeynet
on the Georgia Tech Campus
• Established in Summer of 2002
• Uses Open Source Software
• Initially Established As One Honeynet
Machine behind the firewall
• IP Address Range Provided by Georgia Tech
Office of Information Technology (OIT)
9
Georgia Tech Honeynet
10
Hardware and Software
• No Requirement for State of the Art
Equipment (Surplus Equipment)
• No Production Systems
• Minimum Traffic
• Use Open Source Software (SNORT, Ethereal,
MySQL DB, ACID)
• Use Reverse Firewall Script Developed by
Honeynet.org
11
Intrusion Detection System
Used with HoneyNet
• SNORT
 Open Source
 Signature-Based, with Anomaly-Based Plug-in
Available
 Can Write Customized Signatures
• Run Two Separate SNORT Sessions
 One Session to Check Against Signature Database
 One Session to Capture All Inbound/Outbound Traffic
12
Analysis Console for Intrusion
Detection (ACID)
13
Logging and Review of Data
• Honeynet Data is stored in two separate locations
 Alert Data is stored in SQL database
 Packet Capture Data is stored in a daily archive file
• Data Analysis is a time consuming process
In our Experience:
 One hour/day to analyze traffic
 One hour of attack traffic can result up to one week of
analysis
14
Ethereal Analysis Tool
15
Exploitations Detected on the
Georgia Tech Honeynet
• 36 possible exploited machines have been
detected at Georgia Tech in previous 9 months
(through June 2003)
• A report is made to OIT on each suspected
compromise
16
Identification of a System with
a Compromised Password
• Previously Compromised Honeynet Computer
Continued to Operate as Warez Server
• Another Georgia Tech Computer Connected to
the Warez Server
• Investigation Revealed that Password had been
Compromised on Second Georgia Tech
Computer
17
Detection of Worm Type
Exploits
• GEN I Honeynet Well-Suited to Detect Worm
Type Exploits
 Repeated Scans targeting specific ports
 Analyze captured data for time lapses
• Ability to Deploy Specific Operating System
on Honeynet
18
Exploitation Pattern of Typical
Internet Worm
• Target Vulnerabilities on Specific Operating
Systems
• Localized Scanning to Propagate (Code Red)
 3/8 of time within same /16 network
 1/2 of time within same /8 network
 1/8 of time random address
• Allows for Quick Infection Within Internal
Networks with High Concentration of
Vulnerable Hosts
19
Georgia Tech Honeynet Gen II
20
Initial Observations of Gen II
Honeynet
• Configuration is more complex than Gen I
• Must use variants of Linux 2.4 kernel in order
to run Sebek keystroke logger capability
• Data must continue to be monitored on a daily
basis
21
Jul_31
Sep_10
Jun_10
Apr_20
Apr_12
Apr_04
Mar_27
Mar_19
Mar_13
Mar_07
Feb_27
Feb_20
Feb_13
Feb_05
Jan_28
Jan_22
Jan_14
Jan_06
Dec_29
Dec_21
Dec_13
Dec_05
Nov_29
Nov_21
Nov_19
Nov_09
Nov_08
Oct_20
Oct_28
Oct_04
Oct_12
Sep_24
Sep_17
Sep_09
Aug_21
Aug_29
Aug_06
Honeynet Portscan Activity
Port 1434 (MS-SQL) scans
1200
1000
800
600
Series1
400
200
0
• Date Public: 7/24/02 Date Attack: 1/25/03
22
M
ay
_
M 20
ay
_
M 21
ay
_
M 22
ay
_
M 24
ay
_
M 27
ay
_
M 27
ay
_
Ju 3 1
n_
Ju 0 2
n_
Ju 0 3
n_
Ju 0 5
n_
Ju 0 9
n_
Ju 1 3
n_
Ju 1 7
n_
Ju 2 1
n_
Ju 2 5
n_
3
Ju 0
l_
02
Ju
l_
0
Ju 6
l_
1
Ju 0
l_
1
Ju 4
l_
1
Ju 8
l_
2
Ju 1
l_
2
Ju 5
l_
A u 29
g_
A u 02
g_
A u 06
g_
A u 10
g_
A u 14
g_
A u 18
g_
A u 22
g_
A u 26
g_
S e 31
p_
S e 03
p_
07
co
un
t
Honeynet Portscan Activity
Port 135 (MS-BLASTER) scans
3500
3000
2500
2000
Series1
1500
1000
500
0
• Date Public: 7/16/03 Date Attack: 8/11/03
23
9/9/2003
9/2/2003
8/26/2003
8/19/2003
8/12/2003
8/5/2003
7/29/2003
7/22/2003
7/15/2003
7/8/2003
7/1/2003
6/24/2003
6/17/2003
6/10/2003
6/3/2003
5/27/2003
5/20/2003
Honeynet Portscan Activity
Port 554 (RTSP) scans
40
35
30
25
20
15
10
5
0
• Date Public: 8/15/2003 Date Attack: 8/22/03
24
Conclusions on HoneyNets
• Honeynet Assists in Maintaining Network
Security
• Provides Platform for Research in Information
Assurance and Intrusion Detection
25