Deploying Honeynets Dodge, Jr., & Ragsdale - Presentation by Janakiram Dandibhotla

System Admin vs. Attacker Sys admins - use IDSs or manually review the event log on servers, firewalls, or host computers. Two categories of faulty conclusions - false positive and false negative. Hackers - sophisticated tools and techniques. Honeynets - extremely useful security tools. Honeynets - turn sys admin’s job from finding a needle in a haystack to having a pile of needles.

Network Deception Actions executed to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission. The application of honeynets as part of a deception plan for network security is supported by this definition.

Honeynets Honeypot - system that has absolutely no production value. No DNS entries. Any traffic going to a honeypot - at least suspicious, and, most likely, malicious. Low-interation and high-interaction categories. Primary difference is the level of interaction a hacker can have.

Low-interaction Honeypot Uses emulated services and signatures to respond to attacker. Example - Honeyd. Honeyd adept in identifying network scanning activity - responds to any IP addresses not claimed by another device using Address Resolution protocol daemon (ARPd).

Low-interaction Honeypot (Contd..) Honeyd can respond to ICMP, TCP, UDP. Uses a “personality engine” to generate scripted responses to standard service inquiries. Can respond to an attempt to get header information from a web server by returning a standard head request. The personality engine modifies the content of the packet headers to mimic the desired OS. This is the limit of interaction the hacker can have with the system.

High-interaction honeypot Provide real OS and services with real content. Higher resource, management and risk factors. Learning about the attacker’s techniques and tools far exceeds that of a low-interaction honeypot. Several honeypots combined to represent a network subnet - honeynet.

Value of honeynet Not production systems, so no production activity, no authorized services. Any interaction implies malicious or unauthorized activity. Inbound attempts to establish connections are most likely probes, scans, or attacks. Almost any outbound connections imply - a compromised system. Deploying honeynets is not a simple proposition. Putting a computer in the network that is designed to hack - so should be very careful.

Honeynet Deployment Legal Risks of Deployment The two most common legal arguments against honeynets - they are a form of entrapment and they are a violation of person’s expected right to privacy. Entrapment - Enticing a party to commit an act he/she was not already predisposed to do. But, providing the systems for an attacker to scan and then compromise does not constitute entrapment.

The Fourth Amendment The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. An individual who attacks and compromises a system does not have a reasonable expectation of privacy. This applies only to government actors not private citizens. A scenario where an attacker compromises a honeypot.

The Wiretap act Provider protection clause:  It is not unlawful for an operator of a switchboard etc., to intercept, disclose, to use that communication in the normal course of employment - to protect the rights or property of the provider. Except in cases where the provider of wire communication service shall not utilize service observing, except for mechanical or service quality control checks. Consent Clause:  Two ways consent may permit monitoring.  Placing banners. - We should be able to prove that the attacker saw the banner!.  Honeypot can itself consent to monitoring.

The Wiretap act (Contd.) Computer Trespasser Exception:  Patriot act - allows the government to monitor electronic communication in conjunction with an ongoing investigation.  Only applicable to government use of honeynet and is not applicable to private or commercial applications.

The Pen Trap Act Wiretap act - covers only interception of content of communications - doesn’t cover the analysis of the information. Pen Trap act - prohibits the capture of non-content related data like the info in the IP-packet headers. The computer Fraud and Abuse Act  This act criminalizes the act of network attacks. Every computer connected to the internet is protected.  The concern is with the disposition of illegal material. The honeynet may become the “witness”, so the data should be handled very carefully.

Technical Details of Deployment - Data Control Honeynet Example Configuration

Data Control First consideration - Protection of production systems due to attack on the honeynet. Solution proposed by Honeynet Project - use of proxy that operates at Data Link Layer. Rate limiting, selective dropping and bit-flipping mechanisms. Honeywall is placed between the honeynet and the rest of the network. The packets coming into the honeynet are allowed to pass unchallenged. Outbound packets are subjected to rate-limiting. IP table queuing feature - matches the packets against a rule set. Three actions: Allow, drop and modify.

Data Capture Capturing traffic for event notification. The data can be used to learn more about the attack. Data captured at two locations : network (the honeywall) and the host. Capture at honeywall - can examine the full packet flow that caused the specific alert. Packet payloads - captured by a SNORT process that is bound to the network interface.

Data Capture (Contd.) Host based logging - to be done very secretly to avoid detection by an attacker. Any encrypted traffic (SSH) will not provide any valuable information. Sebek - modified root kit - trojanize the linux OS kernel.

Information and Physical Architecture Traditionally, honeynets have simply been nothing more than default installations of commonly uses OSes. Honeynet needs to filter out scanning and worm traffic and let in traffic that is “interesting”. A firewall can be used. A less vulnerable honeypot is, less likely to be a attacked!. Placing the honeynet in the interior segment of the network. This is used for finding “insider” attacks. Easiest deployment technique - Stand-alone honeynet. With different locations of the organization, different honeynets at each place.

Information and Physical Architecture (Contd.) But, with large organizations honeyfarm might be considered. Honeyfarm is a collection of honeynets serving different networks, but co-located. Honeynets can also be used to track known malicious activity. By placing a honeywall dynamically before a comprised system, we can closely monitor and track. Honeynets can also be deployed on virtual machines. When attacked, create a copy of the VM and let the criminal investigator examine the exploited system. The main objective - where no one should ever go. This can be applied to any resource. Eg. Database record for a very famous person - say Bill Gates.

Anti-Honeynet Movements No good deed goes unpunished. Attackers are quickly learning and sharing the secrets of honeynets. Many open-source developers who contributed to honeynet solutions - have published papers highlighting the vulnerabilities and how to exploit them!.

References Enterprise Information systems Assurance and System Security, by Merrill Warkentin and Rayford Vaughn.

Thank you Questions?