Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 815 Network Security Lecture 25 Data Control in HoneyNets SSH April 22, 2003.

Published byThomas Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCE 815 Network Security Lecture 25 Data Control in HoneyNets SSH April 22, 2003."— Presentation transcript:

1 CSCE 815 Network Security Lecture 25 Data Control in HoneyNets SSH April 22, 2003

2 – 2 – CSCE 815 Sp 03 Machines to Attack 129.252.140.3129.252.140.7NOT!!! 129.252.140.1 - gateway

3 – 3 – CSCE 815 Sp 03 Honeynet Bridge Internet Eth0-NO IP Eth1-NO IP 129.252.140.3 192.252.140.7 Administrative Interface  SSH Connections  Trusted Hosts Eth2- 129.252.xxx.yyy

4 – 4 – CSCE 815 Sp 03 Honeynet Communication Channel Application Presentation Session Transport Network Data Link PhysicalApplicationPresentation Session Transport Network Physical Eth1-Promiscuous ModeEth0-Promiscuous Mode IP Forwarding Source IP: 129.252.140.7 Destination IP: 208.122.101.1 TTL : 30 Source MAC : 07 E2 G5 89 P1 Destination MAC:0H F5 7F 2L G2 Src IP: 129.252.140.7 Dest IP: 208.122.101.1 TTL : 30 Src MAC:07 E2 G5 89 P1 Dest MAC:0H F5 7F 2L G2 Hub

5 – 5 – CSCE 815 Sp 03 What is Data Control and Why? Process used to control or contain traffic to a honeynet Upstream liability – an attck from one of your honeypots Snort-inline – South Florida Honeynet Project

6 – 6 – CSCE 815 Sp 03 GEN II Data Control Gen II : Incorporates a firewall and IDS in one system Provides more stealthy data control Can be implemented for layer 2 bridging or Layer 3 NAT translation Packets passed from internet to honeynet as layer 2 (datalink) layer packets  no TTL decrement

7 – 7 – CSCE 815 Sp 03 IPTables for GEN II Honeynet IPTables is a free, stateful, Open Source firewall for Linux 2.4.x and 2.5.x kernels Each packet header is compared to a set of “chains” Chains contain rules: ACCEPT, DROP, REJECT, Queue Custom Chains tcpHandler udpHandler icmpHandler

8 – 8 – CSCE 815 Sp 03 Example Rule Shell Script $IPTABLES –A tcpHandler –j LOG –log-prefix “OUTBOUND” if test $QUEUE = “yes” then $IPTABLES –A tcpHandler –j QUEUE fi $IPTABLES –A tcpHandler –j ACCEPT $IPTABLES –A tcpHandler –j ACCEPT Environment variable “$QUEUE” controls action of the rule Queueing Connection limits

9 – 9 – CSCE 815 Sp 03 Snort-Inline Snort: The Open Source Network Intrusion Detection System http://www.snort.org/ http://www.snort.org/ Snort-Inline: Snort + ability to retrieve packets from the Queue target Gen I : Alert.sh operated at Layer 3 (IP layer) which made it visible by TTL decrement and routing Gen II Data Control if attacker runs traceroute to view router hops then “I see nothing” Sargeant Schultz /sbin/traceroute 129.252.140.3

10 – 10 – CSCE 815 Sp 03 Set Up lsmod modprobe ip_queue // to load the ip_queue module into kernel space lsmod modprobe -r ip_queue // to remove

11 – 11 – CSCE 815 Sp 03 Data Control: Snort-Inline and IPTables Modes of Operation Modes of Operation Connection Limiting Mode: Count packets by protocol type Drop Mode: Libipq reads packets from kernel space.Packets are matched against snort signatures and dropped if there is a match Replace Mode: Packets are matched against snort signatures and if they match the harmful content of packet is scrubbed and returned to the attacker

12 – 12 – CSCE 815 Sp 03 Connection Limiting Mode IPTables DROP Packet No =10 IPTables

13 – 13 – CSCE 815 Sp 03 Snort-Inline Drop Mode IP Tables Ip_queue Snort-Inline Snort Rules=Drop IPTables Drop

14 – 14 – CSCE 815 Sp 03 Snort-Inline Replace Mode IP Tables Ip_queue Snort-Inline Snort Rules=Replace IPTables bin/sh->ben/sh

15 – 15 – CSCE 815 Sp 03 Supporting Tools for Gen II libipq – development library for iptables Netfilter provides a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel Netfilter provides a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel http://www.cs.princeton.edu/~nakao/libipq.htm Libpcap libpcap is a packet capture library used by most Open Source sniffers Bridge-Utils: Bridge-Utils is used to set up the Linux Ethernet bridge Latest Snort Rules rc.firewall script: everything you need to set up the GenII data control system http://project.honeynet.org/papers/honeynet/tools/rc.firewall http://project.honeynet.org/papers/honeynet/tools/rc.firewall

16 – 16 – CSCE 815 Sp 03 Rc.firewall script This script uses IPTables to create a gateway that counts inbound # and outbound connections and blocks connections once a limit # has been met. Kernel must be compiled with Bridge support Modifications History 21 Apr 2003: Added STOP_OUT option to allow user to block # all outbound connections. Think of this as the # honeynet safe mode.

17 – 17 – CSCE 815 Sp 03 Protect the Administrator Interface Portsentry Detects SYN/Half Open, FIN, NULL scans Will block host in real time and report to the administrator

18 – 18 – CSCE 815 Sp 03 Data Control: Tripwire Maintains integrity of data on the system Creates cryptographic checksums of files and directories Reports when changes are made to Access permissions, inode number, Userid, groupid, date and time, sizehttp://www.tripwire.com/

19 – 19 – CSCE 815 Sp 03 Data Capture Mechanisms Snort-Inline Comlog: Log commands executed by cmd.exe (Windows) Eventlog: forwards packets to syslog server(Windows) Sebek: (Linux) Keystroke logging Uses UDP connection USCSh – Unix keystroke logging 1984 Windows Keystroke logging PhD dissertation 1990s

20 – 20 – CSCE 815 Sp 03 Data Collection Syslog: To deceive intruder maintain another Syslog.conf file in a different location Remote Syslog Stored data on remote machine

21 – 21 – CSCE 815 Sp 03 Data Analysis Log Sentry: Audits logs and reports any violations The @stake Sleuth Kit: Analyses images generated by dd command Converts and copies a file Displays deleted files Creates timeline for file activity

22 – 22 – CSCE 815 Sp 03 Risk Analysis Placed on the 129.252.140 Subnet Can be shut down in case of emergency Efficient Data Control Mechanisms Firewall (Connection Limiting Mode) Snort-Inline (Drop Mode)

23 – 23 – CSCE 815 Sp 03 References Librenix: http://librenix.comfirewalls types of firewalls configurations access contro Newsforge: http://newsforge.com/newsforge http://newsforge.com/newsforge Deploying a GenII Honeynet: MS Thesis Harish Siripurapu http://www.honeynet.ie/main.htm GenII Data Control for Honeynets – Univ South Florida http://cert.uni-stuttgart.de/archive/honeypots/2003/02/msg00056.html

Download ppt "CSCE 815 Network Security Lecture 25 Data Control in HoneyNets SSH April 22, 2003."

Similar presentations

IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.

1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
The Honeynet Project Advancements in Honeypot Tools.

The Honeynet Project Advancements in Honeypot Tools.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.

Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
1 Guide to Network Defense and Countermeasures Chapter 6.

1 Guide to Network Defense and Countermeasures Chapter 6.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Similar presentations

Ads by Google