Академический Документы
Профессиональный Документы
Культура Документы
AND
INTRUSION DETECTION
Seminar Report By :
ABSTRACT
The Internet has undoubtedly become the largest public data network in the
world, enabling and facilitating both personal and business communications worldwide.
Widespread use of the Internet has opened the door to an increasing number of security
threats. Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous
activity. Network intrusion detection systems (NIDS) are an important part of any
network security architecture. They provide a layer of defense, which monitors network
traffic for predefined suspicious activity or patterns, and alert system administrators when
potential hostile traffic is detected. This paper deals with one of such systems, which uses
'Honeypots' for Intrusion Detection.
The paper helps to learn what a honeypot is and how it can help safeguard
your network from internal intruders. A honeypot is a tool that can help protect for
network from unauthorized access. It is a system that is designed specifically to look
vulnerable so that attacker thinks it's easy prey. Attackers who probe the machine find a
system that's easy to attack and that they believe might contain sensitive information. On
the back end, the system logs all the intruders' probes and attacks. A honeypot can lure
attackers so that administrator can study their methods of operation and resource integrity
tools can tell whether a user or possibly an intruder has altered the files or other system
resources.
Honey Pots do not replace other traditional Internet security systems; they are
an additional level or system. The goals behind setting up a honeypot, the advantages and
disadvantages of honeypot solutions are also discussed.
Honey Pots can be setup inside, outside or in the DMZ of a firewall design or
even in all of the locations although they are most often deployed inside of a firewall for
control purposes. In a sense, they are variants of standard Intruder Detection Systems
(IDS) but with more of a focus on information gathering and deception. The paper also
discusses about the different levels or layers of tracking.
The honeypot solutions discussed in the paper explain how to build a
honeypot, what all features a honeypot should have. Also some commercial honeypot
systems are discussed.
CONTENTS
Page No.
• Introduction 1
• Topic details
6 Introduction to honeypot 2
7 Classification 3
9 Setting a Honeypot 5
10 Value of Honeypots 7
11 HoneyNet project 8
• Conclusion 10
• Bibliography 11
INTRODUCTION
With the current growth of the Internet and e-commerce, networks are
becoming increasingly vulnerable to damaging attacks. At the same time, downtime from
networks that carry critical business applications can result in production losses and
directly affect a company's bottom line. The volume of traffic moving over the Internet
and corporate networks is expanding exponentially every day as mobile workers,
telecommuters, and branch offices use e-mail and the Internet to remotely connect to
corporate networks. No individual-whether a noncomputer user, a casual Internet surfer,
or even a large enterprise-is immune to network-security breaches. With proper planning,
however, network security breaches can often be prevented. General fear and suspicion of
computers still exists and with that comes a distrust of the Internet. This distrust can limit
the business opportunities for companies, especially those that are completely Web-
based.
Simply put, an intrusion can be defined as any set of actions that attempt to
compromise the integrity, confidentiality or availability of a resource. An intrusion
detection system, or IDS for short, attempts to detect an intruder breaking into the system
or a legitimate user misusing system resources. The IDS will run constantly on the
system, working away in the background, and only notifying when it detects something it
considers suspicious or illegal.
There are two types of potential intruders, Outside Intruders and Inside
Intruders. Despite the fact that most security measures are put in place to protect the
inside from a malevolent outside world, most intrusion attempts actually occur from
within an organization. A mechanism is needed to detect both types of intrusions - a
break-in attempt from the outside, or a knowledgeable insider attack. An effective
intrusion detection system detects both types of attacks.
Several species of butterfly have developed "eyes" on their wings. These
fools predators into thinking it's looking in a direction it isn't, and gives them a "target"
that isn't really there. (Big eyes mean a big body behind it.)
Some forms of protection for computers follow the same principle - giving
the illusion of common vulnerabilities, appearing to have a port active when it isn't, or
even pretending to be an entire network, just waiting to be portscanned - none of it real.
Since any activity on these "non-existent" ports or networks has to be from an intruder, it
becomes trivial to identify when an attack is taking place, and much easier to identify
which packets are from the intruder and which are innocent.
The world of computer hackers is a constant cat-and-mouse game between
"white hats" and "black hats." Some white hats use "honeypots" to learn about their
enemy. Honeypots look like normal Web servers to a black hat, but they are really traps
with special software that allow white hats to track every step a computer vandal takes.
TOPIC DETAILS
WHAT IS A HONEYPOT?
Honey Pot Systems are decoy servers or systems setup to gather information
regarding an attacker or intruder into your system. These are programs that simulate one
or more network services that you designate on your computer's ports. An attacker
assumes you're running vulnerable services that can be used to break into the machine. A
honeypot can be used to log access attempts to those ports including the attackers'
keystrokes.
A honeypot is a network server designed to trap would-be attackers before
they invade the real servers and services. The honeypot contains no data or applications
critical to the company but has enough interesting data to lure a hacker. It is a system
designed to teach how black-hats probe for and exploit a system.
The idea behind a honey pot is to setup a "decoy" system that has a non-
hardened operating system or one that appears to have several vulnerabilities for easy
access to its resources. The decoy system should be loaded with numerous fake files,
directories, and other information that may look real. By making the honey pot appear to
be a legitimate machine with legitimate files, it leads the hacker to believe that they have
gained access to important information. With a little luck the intruder will stay around in
an attempt to collect data while the honey pot collects information about the intruder and
the source of his or her attack.
Ideally honey pots provide an environment where intruders can be trapped or
vulnerabilities accessed before an attack is made on real assets. Decoys are setup not to
capture the bad guy but to monitor and learn from their moves, find how they probe and
exploit the system and how those exploitations can be prevented in production systems
and doing this all without detection from the hacker.
Firewall Logs
Firewalls offer the outermost layer of protection for a network, providing a
basic barrier and restricting points of access. Firewalls are useful as part of the overall
Honey Pot design for many reasons. Most firewalls provide activity-logging capabilities,
which can be used to identify how an intruder is attempting to get into a Honey Pot.
Reviewing the order, sequence, time stamps and type of packets used by an intruder to
gain access to you Honey Pot will help you identify the tools, methodology being used by
the intruder and their intentions. Most firewalls can be configured to send alerts by email
or pager to notify you of traffic going to or from your Honey Pot. This can be extremely
useful in letting you review intruder activity while it’s happening.
System Logs
Unix and Microsoft NT seem to have the lion share of the Internet server
markets and both operating systems have logging capabilities built into their operating
systems, which help identify what changes or attempts have been made. There are also
several tools available that greatly increase the information that can be gathered. Many of
the Unix tools are public domain, while many of the Microsoft NT tools are not.
Sniffer Tools
Sniffer tools provide the capability of seeing all of the information or packets
going between the firewall and the Honey Pot system. Using a sniffer tool allows you to
interrogate packets in more detail to determine which methods the intruder is trying to
use in much more detail than firewall or system logging alone. An additional benefit to
sniffer tools is that they can also create and store log files. The log files can then be
stored and used for forensic purposes.
SETTING A HONEYPOT
FakeBO
This program fakes trojan servers and logs every attempt from client.
It is possible to log attempts to file, stdout, stderr or to syslog. It can send fake
pings and replies back to trojan client. The trojans supported are Back Orifice
(BO) and NetBus
VALUE OF HONEYPOTS
Honeypots have certain advantages (and disadvantages) as security tools. It is
the advantages that help define the value of a honeypot. The beauty of a honeypot's lies in
its simplicity. It is a device intended to be compromised, not to provide production
services. This means there is little or no production traffic going to or from the device.
Any time a connection is sent to the honeypot, this is most likely a probe, scan, or even
attack. Any time a connection is initiated from the honeypot, this most likely means the
honeypot was compromised. As there is little production traffic going to or from the
honeypot, all honeypot traffic is suspect by nature. Now, this is not always the case.
Mistakes do happen, such as an incorrect DNS entry or someone from accounting
inputing the wrong IP address. But in general, most honeypot traffic represents
unauthorized activity.
Because of this simplistic model, honeypots have certain inherent advantages
and disadvantages. Some of them are :
1. Advantage - Data Collection
Honeypots collect very little data, and what they do collect is normally of
high value. This cuts the noise level down, make it much easier to collect and archive
data. One of the greatest problems in security is wading through gigabytes of data to
find the data you need. Honeypots can give you the exactly the information you need
in a quick and easy to understand format.
2. Advantage - Resources
Many security tools can be overwhelmed by bandwidth or activity.
Network Intrusion Detection Devices may not be able to keep up with network
activity, dropping packets, and potentially attacks. Centralized log servers may not be
able to collect all the system events, potentially dropping some events. Honeypots do
not have this problem, they only capture that which comes to them.
1. Disadvantage - Single Data Point
Honeypots all share one huge drawback; they are worthless if no one
attacks them. Yes, they can accomplish wonderful things, but if the attacker does not
send any packets to the honeypot, the honeypot will be blissfully unware of any
unauthorized activity.
2. Disadvantages - Risk
Honeypots can introduce risk to your environment. As we discuss later,
different honeypots have different levels of risk. Some introduce very little risk, while
others give the attacker entire platforms from which to launch new attacks. Risk is
variable, depending on how one builds and deploys the honeypot.
HONEYNET PROJECT
A honeypot is easy enough to build, but if an experienced cracker succeeds in
compromising it, he could use it to launch other attacks. A safer option might be to create
an entire network of honeypots, such as the HoneyNet. We call it a 'honeynet' because it's
not a single system, it's actually a network of honeypots, full of real hardware, including
Cisco switches and Windows NT, Linux and Solaris boxes, all partially disabled.
The Honeynet Project, a group of 30 researchers from academia and the
commercial sector, is trying to change that. The group obtains information through the
use of a Honeynet--a computer network on the Internet that's designed to be
compromised. The network is made up of various production systems complete with
sensors as well as a suitably enticing name and content. (The actual IP address changes
regularly and isn't published.) Hackers' actions are recorded as they happen: how the
culprits try to break in, when they're successful and what they do when they succeed.
A Honeynet is a type of honeypot designed specifically for research. A
Honeynet is different from traditional honeypots, it is what we would categorize as a
research honeypot. This does not make it a better solution then traditional honeypots,
merely it has a different purpose. Instead of its value being detecting or deceiving
attackers, its value is gaining information on threats. The two biggest design differences
from a classic honeypot are:
• It is not a single system but a network of multiple systems. This network sits
behind an access control device where all inbound and outbound data is controlled
and captured. This captured information is then analyzed to learn the tools,
tactics, and motives of the blackhat community. Honeynets can utilize multiple
systems at the same time, such as Solaris, Linux, Windows NT, Cisco router,
Alteon switch, etc. This creates a network environment that more realistically
mirrors a production network. Also, by having different systems with different
applications, such as a Linux DNS server, a Windows IIS webserver, and a
Solaris Database server, we can learn about different tools and tactics. Perhaps
certain blackhats target specific systems, applications, or vulnerabilities. By
having a variety of operating systems and applications, we are able to accurately
profile specific blackhat trends and signatures.
• All systems placed within the Honeynet are standard production systems. These
are real systems and applications, the same you find on the Internet. Nothing is
emulated nor is anything done to make the systems less secure. The risks and
vulnerabilities discovered within a Honeynet are the same that exist in many
organizations today. One can simply take a system from a production
environment and place it within the Honeynet.
CONCLUSION
A honeypot are just a tool. How you use that tool is up to you. There are a
variety of honeypot options, each having different value to organizations. We have
categorized two types of honeypots, production and research. Production honeypots help
reduce risk in an organization. While they do little for prevention, they can greatly
contribute to detection or reaction. Research honeypots are different in that they are not
used to protect a specific organization. Instead they are used as a research tool to study
and identify the threats in the Internet community. Regardless of what type of honeypot
you use, keep in mind the 'level of interaction'. This means that the more your honeypot
can do and the more you can learn from it, the more risk that potentially exists. You will
have to determine what is the best relationship of risk to capabilities that exist for you.
Honeypots will not solve an organization's security problems. Only best practices can do
that. However, honeypots may be a tool to help contribute to those best practices.
Honeypots can act as decoys and can keep intruders away from your other systems.
While not a network security panacea, deception is another option for the
security-conscious organization, especially for monitoring insider threats. Honeynets and
honeypots are best used to track, trap and trace crackers who have already entered a
particular system.
BIBLIOGRAPHY
http://www.linuxsecurity.com
http://project.honeynet.org
http://www.securityfocus.com
http://www.sans.org
http://www.itpapers.com
http://www.networkcomputing.com
http://www.ntsecurity.net
http://www.internetweek.com