Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003.

Published byKathryn Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003."— Presentation transcript:

1 CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003

2 – 2 – CSCE 815 Sp 03 Network Administrator Tools Network Administration tools (MSDOS/Windows) ipconfig ifconfig netstat /etc/… not really tools as much as files /sbin/… Find ethernet/IP addresses More tools http://newsforge.com/newsforge/02/12/12/0232235.shtml?tid= 23 http://newsforge.com/newsforge/02/12/12/0232235.shtml?tid= 23

3 – 3 – CSCE 815 Sp 03 Chroot Jails References: http://librenix.com/ general purpose security/Linux site http://librenix.com/ http://www.gsyc.inf.uc3m.es/~assman/jail/index.html chroot environment:

4 – 4 – CSCE 815 Sp 03 Chroot Implementation

5 – 5 – CSCE 815 Sp 03 The Hacker Community The Black Hat Community Facts 20 Unique Scans a day Fastest Compromise – 15 minutes Default RH 6.2 life expectancy is 72 Hrs 100-200% increase in activity from 2000 to 2001 Source:http://project.honeynet.org/papers/stats

6 – 6 – CSCE 815 Sp 03 What needs to be done? Awareness : To raise awareness about new and existing threats and attacks Information: Collect information about attacks and people who cause them, their tools and techniques Analysis: Assess vulnerabilities in the system

7 – 7 – CSCE 815 Sp 03 Deploying a Gen II Honeynet Objective: To learn about threats and attacks on the most vulnerable Unix and Windows based applications To learn about tools and techniques used by the attackers To collect and analyze attack data

8 – 8 – CSCE 815 Sp 03 Honeypot Operating system with applications vulnerable to attacks Designed to capture all activities generated by an intruder Types: Production Honeypot-Low Interaction- Simulated Environment Eg. Specter, BOF Research Honeypot- High Interaction-Learning purposes

9 – 9 – CSCE 815 Sp 03 Honeynet Comprised of high interaction honeypots Simulates a real/production environment Components: Data Control: Comprised honeypot should not be used to attack systems Data Capture: Capture Attacker’s activity Eg: Keystrokes Data Collection: Collecting honeynet data in a remote machine

10 – 10 – CSCE 815 Sp 03 Gen I Honeynet Placed on an isolated network Firewall and Router are used as Access Control Devices Better Data control than a traditional honeypot

11 – 11 – CSCE 815 Sp 03 Limitations of Gen I Honeypot Easily Detectable Outbound packets have TTL decrement at the routing firewall (Layer 3 device) Intruder can fingerprint the network Poor Data Control mechanism Intruder can use the system to attack other systems Absence of Content-Based detection

12 – 12 – CSCE 815 Sp 03 Gen II Honeynet Goals of Gen II Honeynet 1.Undetectable System 1.Undetectable System  Placed in a production network  Access control implemented by a gateway device (layer 2 device)  Absence of TTL decrement 2.Efficient Data Control mechanisms

13 – 13 – CSCE 815 Sp 03 Deploying a Gen II Honeynet

14 – 14 – CSCE 815 Sp 03 How to do implement the Honeynet Building the Honeypots Building the Sensor Bridge Construction Kernel Hardening Data Control Data Capture Data Collection

15 – 15 – CSCE 815 Sp 03 Building Honeypots Cleaning the machine FWipe (Linux) Eraser (Windows) Linux Honeypot Redhat7.3, Kernel 2.4.8-13 Apache server, SSH,FTP,Telnet Windows Honeypot Default installation of Windows 2000 server IIS Web Server,IE,Microsoft SQL Server

16 – 16 – CSCE 815 Sp 03 Honeynet Bridge Internet Eth0-NO IP Eth1-NO IP 129.252.140.3 192.252.140.7 Administrative Interface  SSH Connections  Trusted Hosts Eth2- 129.252.xxx.yyy

17 – 17 – CSCE 815 Sp 03 Honeynet Communication Channel Application Presentation Session Transport Network Data Link PhysicalApplicationPresentation Session Transport Network Physical Eth1-Promiscuous ModeEth0-Promiscuous Mode IP Forwarding Source IP: 129.252.140.7 Destination IP: 208.122.101.1 TTL : 30 Source MAC : 07 E2 G5 89 P1 Destination MAC:0H F5 7F 2L G2 Src IP: 129.252.140.7 Dest IP: 208.122.101.1 TTL : 30 Src MAC:07 E2 G5 89 P1 Dest MAC:0H F5 7F 2L G2 Hub

18 – 18 – CSCE 815 Sp 03 Kernel Hardening Bastille Linux Non-executable IP user stack Secures /proc /var directories Prevents users from creating hard links to files that they don’t own Restricts writes into pipes

19 – 19 – CSCE 815 Sp 03 Data Control: Snort-Inline and IPTables Modes of Operation Modes of Operation Connection Limiting Mode: Count packets by protocol type Drop Mode: Libipq reads packets from kernel space.Packets are matched against snort signatures and dropped if there is a match Replace Mode: Packets are matched against snort signatures and if they match the harmful content of packet is scrubbed and returned to the attacker

20 – 20 – CSCE 815 Sp 03 Connection Limiting Mode IPTables DROP Packet No =10 IPTables

21 – 21 – CSCE 815 Sp 03 Snort-Inline Drop Mode IP Tables Ip_queue Snort-Inline Snort Rules=Drop IPTables Drop

22 – 22 – CSCE 815 Sp 03 Snort-Inline Replace Mode IP Tables Ip_queue Snort-Inline Snort Rules=Replace IPTables bin/sh->ben/sh

23 – 23 – CSCE 815 Sp 03 Protect the Administrator Interface Portsentry Detects SYN/Half Open, FIN, NULL scans Will block host in real time and report to the administrator

24 – 24 – CSCE 815 Sp 03 Data Control: Tripwire Maintains integrity of data on the system Creates cryptographic checksums of files and directories Reports when changes are made to Access permissions, inode number, Userid, groupid, date and time, size

25 – 25 – CSCE 815 Sp 03 Data Capture Mechanisms Snort-Inline Comlog: Log commands executed by cmd.exe (Windows) Eventlog: forwards packets to syslog server(Windows) Sebek: (Linux) Keystroke logging Uses UDP connection

26 – 26 – CSCE 815 Sp 03 Data Collection Syslog: To deceive intruder maintain another Syslog.conf file in a different location Remote Syslog Stored data on remote machine

27 – 27 – CSCE 815 Sp 03 Data Analysis Log Sentry: Audits logs and reports any violations The @stake Sleuth Kit: Analyses images generated by dd command Converts and copies a file Displays deleted files Creates timeline for file activity

28 – 28 – CSCE 815 Sp 03 Top 10 Attacked Services Linux Based Attack RPC Apache SSH SNMP FTP R-Services LPD Sendmail BIND/DNS Weak accounts Windows Based Attack IIS MDAC Microsoft SQL Server NETBIOS Weak LM Hashing Anonymous Logon Weak accounts IE Remote Registry Access Windows Scripting Host

29 – 29 – CSCE 815 Sp 03 Risk Analysis Placed on the 129.252.140 Subnet Can be shut down in case of emergency Efficient Data Control Mechanisms Firewall (Connection Limiting Mode) Snort-Inline (Drop Mode)

30 – 30 – CSCE 815 Sp 03 References Librenix: http://librenix.comfirewalls types of firewalls configurations access contro Newsforge: http://newsforge.com/newsforge http://newsforge.com/newsforge Deploying a GenII Honeynet: MS Thesis Harish Siripurapu

Download ppt "CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003."

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google