CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003
– 2 – CSCE 815 Sp 03 Network Administrator Tools Network Administration tools (MSDOS/Windows) ipconfig ifconfig netstat /etc/… not really tools as much as files /sbin/… Find ethernet/IP addresses More tools
– 3 – CSCE 815 Sp 03 Chroot Jails References: general purpose security/Linux site chroot environment:
– 4 – CSCE 815 Sp 03 Chroot Implementation
– 5 – CSCE 815 Sp 03 The Hacker Community The Black Hat Community Facts 20 Unique Scans a day Fastest Compromise – 15 minutes Default RH 6.2 life expectancy is 72 Hrs % increase in activity from 2000 to 2001 Source:
– 6 – CSCE 815 Sp 03 What needs to be done? Awareness : To raise awareness about new and existing threats and attacks Information: Collect information about attacks and people who cause them, their tools and techniques Analysis: Assess vulnerabilities in the system
– 7 – CSCE 815 Sp 03 Deploying a Gen II Honeynet Objective: To learn about threats and attacks on the most vulnerable Unix and Windows based applications To learn about tools and techniques used by the attackers To collect and analyze attack data
– 8 – CSCE 815 Sp 03 Honeypot Operating system with applications vulnerable to attacks Designed to capture all activities generated by an intruder Types: Production Honeypot-Low Interaction- Simulated Environment Eg. Specter, BOF Research Honeypot- High Interaction-Learning purposes
– 9 – CSCE 815 Sp 03 Honeynet Comprised of high interaction honeypots Simulates a real/production environment Components: Data Control: Comprised honeypot should not be used to attack systems Data Capture: Capture Attacker’s activity Eg: Keystrokes Data Collection: Collecting honeynet data in a remote machine
– 10 – CSCE 815 Sp 03 Gen I Honeynet Placed on an isolated network Firewall and Router are used as Access Control Devices Better Data control than a traditional honeypot
– 11 – CSCE 815 Sp 03 Limitations of Gen I Honeypot Easily Detectable Outbound packets have TTL decrement at the routing firewall (Layer 3 device) Intruder can fingerprint the network Poor Data Control mechanism Intruder can use the system to attack other systems Absence of Content-Based detection
– 12 – CSCE 815 Sp 03 Gen II Honeynet Goals of Gen II Honeynet 1.Undetectable System 1.Undetectable System Placed in a production network Access control implemented by a gateway device (layer 2 device) Absence of TTL decrement 2.Efficient Data Control mechanisms
– 13 – CSCE 815 Sp 03 Deploying a Gen II Honeynet
– 14 – CSCE 815 Sp 03 How to do implement the Honeynet Building the Honeypots Building the Sensor Bridge Construction Kernel Hardening Data Control Data Capture Data Collection
– 15 – CSCE 815 Sp 03 Building Honeypots Cleaning the machine FWipe (Linux) Eraser (Windows) Linux Honeypot Redhat7.3, Kernel Apache server, SSH,FTP,Telnet Windows Honeypot Default installation of Windows 2000 server IIS Web Server,IE,Microsoft SQL Server
– 16 – CSCE 815 Sp 03 Honeynet Bridge Internet Eth0-NO IP Eth1-NO IP Administrative Interface SSH Connections Trusted Hosts Eth xxx.yyy
– 17 – CSCE 815 Sp 03 Honeynet Communication Channel Application Presentation Session Transport Network Data Link PhysicalApplicationPresentation Session Transport Network Physical Eth1-Promiscuous ModeEth0-Promiscuous Mode IP Forwarding Source IP: Destination IP: TTL : 30 Source MAC : 07 E2 G5 89 P1 Destination MAC:0H F5 7F 2L G2 Src IP: Dest IP: TTL : 30 Src MAC:07 E2 G5 89 P1 Dest MAC:0H F5 7F 2L G2 Hub
– 18 – CSCE 815 Sp 03 Kernel Hardening Bastille Linux Non-executable IP user stack Secures /proc /var directories Prevents users from creating hard links to files that they don’t own Restricts writes into pipes
– 19 – CSCE 815 Sp 03 Data Control: Snort-Inline and IPTables Modes of Operation Modes of Operation Connection Limiting Mode: Count packets by protocol type Drop Mode: Libipq reads packets from kernel space.Packets are matched against snort signatures and dropped if there is a match Replace Mode: Packets are matched against snort signatures and if they match the harmful content of packet is scrubbed and returned to the attacker
– 20 – CSCE 815 Sp 03 Connection Limiting Mode IPTables DROP Packet No =10 IPTables
– 21 – CSCE 815 Sp 03 Snort-Inline Drop Mode IP Tables Ip_queue Snort-Inline Snort Rules=Drop IPTables Drop
– 22 – CSCE 815 Sp 03 Snort-Inline Replace Mode IP Tables Ip_queue Snort-Inline Snort Rules=Replace IPTables bin/sh->ben/sh
– 23 – CSCE 815 Sp 03 Protect the Administrator Interface Portsentry Detects SYN/Half Open, FIN, NULL scans Will block host in real time and report to the administrator
– 24 – CSCE 815 Sp 03 Data Control: Tripwire Maintains integrity of data on the system Creates cryptographic checksums of files and directories Reports when changes are made to Access permissions, inode number, Userid, groupid, date and time, size
– 25 – CSCE 815 Sp 03 Data Capture Mechanisms Snort-Inline Comlog: Log commands executed by cmd.exe (Windows) Eventlog: forwards packets to syslog server(Windows) Sebek: (Linux) Keystroke logging Uses UDP connection
– 26 – CSCE 815 Sp 03 Data Collection Syslog: To deceive intruder maintain another Syslog.conf file in a different location Remote Syslog Stored data on remote machine
– 27 – CSCE 815 Sp 03 Data Analysis Log Sentry: Audits logs and reports any violations Sleuth Kit: Analyses images generated by dd command Converts and copies a file Displays deleted files Creates timeline for file activity
– 28 – CSCE 815 Sp 03 Top 10 Attacked Services Linux Based Attack RPC Apache SSH SNMP FTP R-Services LPD Sendmail BIND/DNS Weak accounts Windows Based Attack IIS MDAC Microsoft SQL Server NETBIOS Weak LM Hashing Anonymous Logon Weak accounts IE Remote Registry Access Windows Scripting Host
– 29 – CSCE 815 Sp 03 Risk Analysis Placed on the Subnet Can be shut down in case of emergency Efficient Data Control Mechanisms Firewall (Connection Limiting Mode) Snort-Inline (Drop Mode)
– 30 – CSCE 815 Sp 03 References Librenix: types of firewalls configurations access contro Newsforge: Deploying a GenII Honeynet: MS Thesis Harish Siripurapu