Presentation is loading. Please wait.

Presentation is loading. Please wait.

KFSensor Vs Honeyd Honeypot System Sunil Gurung

Published byAdelia Gaines Modified over 9 years ago

Similar presentations

Presentation on theme: "KFSensor Vs Honeyd Honeypot System Sunil Gurung"— Presentation transcript:

1 KFSensor Vs Honeyd Honeypot System Sunil Gurung
[60-475] Security and Privacy on the Internet KFSensor Vs Honeyd Honeypot System

2 Agenda Introduction Honeypot Technology KFSensor Honeyd Features Tests Conclusion

3 Introduction Good Defence is Good Offence Network security – Firewall, IDS, antivirus. Traditional approach – defensive Today – offensive approach Honeypot solutions

4 Honeypot Technology “A honeypot is security resource whose value lies in being probed, attacked, or compromised.” - Lance Spitzner we want attackers to probe and exploit the virtual system running emulated services. System no production value, no traffic, most connection probe, attack or compromised. Complements the traditional security tools.

5 Fig: The basic setup up of the honeypot system. In the figure two KFSensor are configured production honeypots. Figure taken from “ User Manual of KFSensor – Help “

6 TYPES of ATTACKERS Script Kiddies Amateurs, don’t care about the host Educate the inadequacy of the security policy Blackhat Focus on high value system, more experienced More dangerous and operate silently

7 Types of Honeypot Low Interaction High Interaction
Interaction: level of activity Honeypot allows with attacker Low Interaction Emulated services, easy to deploy and maintain, less risk. Designed to capture only known attack High Interaction Setup real services and provides interaction with OS More information, no assumption made give full open environments. Can use the real honeypot to attack others. Symantec Decoy Server, Honeynet

8 KFSensor Commercial low interaction honeypot solution Windows OS Preconfigured services: ssh, http, ftp etc Easy configuration and flexible Components of KFSensor Scenarios, Sim Server – standard and banner

9

10 Low interaction, open source Developed by Niels Provos of U of M
Honeyd Low interaction, open source Developed by Niels Provos of U of M Features: service emulation and IP stack of OS Product Detail Software: honeyd Version: honeyd 0.8 License: open source Download site: OS: Windows, Linux, Unix – Solaris

11 ARPD, Libraries Dependencies Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz
Installation ARPD, Libraries Dependencies Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz Honeyd package Installation process: # tar -zvxf libevent-0.8a.tar.gz Compile the libevent: # cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a) #. /configure # make # make install

12 Major Differences between the two software
IP address assignment Listening port OS emulation Open source advantage Financial value

13

14 How it works Configuration File Nmap.print & Xprobe2
Script for running the services

15 Explanation of Configuration file
# Example of a simple host template and its binding annotate "AIX " fragment old create template set template personality "AIX " add template tcp port 80 open add template tcp port 22 open add template tcp port 23 open set template default tcp action reset bind template

16 Nmap.print and Xprobe2 # Contributed by Felix Lindner Fingerprint AXENT Raptor Firewall running on Windows NT TSeq(Class=TR) T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T2(Resp=N) T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T7(Resp=N) PU(Resp=N)

17 Test Environment Inside the router 1) University network
2) Home network: putting the honeypot system inside the router [ ] Various test performed:

18 Testing Honeyd IP of honeypot: IP of host running the honeypot: Running ARPD #arpd \24 2) Running Honeyd #honeyd –d –f config.sample –p nmap.print –x xprobe2 –l \”Log File” –I 2

19 Test 1: FTP (KFSensor)

20 Test 2: FTP honeyd

21 Other possible test (Network Topology)
route entry route link /24 route add net / latency 55ms loss 0.1 route add net / latency 20ms loss 0.1 route link /24 route link /24 create routerone set routerone personality "Cisco 7206 running IOS 11.1(24)" set routerone default tcp action reset add routerone tcp port 23 "scripts/router-telnet.pl" create netbsd set netbsd personality "NetBSD running on a Commodore Amiga (68040 processor)" set netbsd default tcp action reset add netbsd tcp port 22 proxy $ipsrc:22 add netbsd tcp port 80 "sh scripts/web.sh" bind routerone bind netbsd

22 Results – take from the abstract
$ traceroute -n traceroute to ( ), 64 hops max ms ms 0.93 ms ms ms ms ms ms ms ms ms ms

23 Conclusion Both are low interaction Honey with better feature like IP simulation and OS IP stack simulation KFSensor better GUI easy configuration Can not replace the existing system. Work better along with it.

Download ppt "KFSensor Vs Honeyd Honeypot System Sunil Gurung"

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.

Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
Simulation and Emulation with NCTUns

Simulation and Emulation with NCTUns
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.

© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.
Session 10 Windows Platform Eng. Dina Alkhoudari.

Session 10 Windows Platform Eng. Dina Alkhoudari.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

Similar presentations

Ads by Google