Scribd Logo
Upload

Welcome to Scribd!

  • Use of Honey-Pots To Detect Exploited Systems Across Large Enterprise Networks

    Uploaded by

    nagasaikiran
    24 views22 pages
    Honey pots is a new ppt document for the Networking.It helps to connect to the internet for transfer of information

    Original Title

    Honey Pots

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Honey pots is a new ppt document for the Networking.It helps to connect to the internet for transfer of information

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    24 views22 pages

    Use of Honey-Pots To Detect Exploited Systems Across Large Enterprise Networks

    Uploaded by

    nagasaikiran
    Honey pots is a new ppt document for the Networking.It helps to connect to the internet for transfer of information

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    http://project.honeynet.org/misc/project.

    html

    Use of Honey-pots to Detect


    Exploited Systems Across Large
    Enterprise Networks
    Ashish Gupta
    Network Security
    May 2004

    Overview
    Motivation
    What are Honeypots?
    Gen I and Gen II

    The GeorgiaTech Honeynet System


    Hardware/Software
    IDS
    Logging and review

    Some detected Exploitations


    Worm exploits
    Sage of the Warez Exploit

    Words of Wisdom
    Conclusions

    Why Honeynets ?
    An additional layer of security

    Security: A serious Problem


    Firewall

    IDS

    A Traffic Cop

    Detection and Alert

    Problems:

    Problems:

    Internal Threats

    False Positives

    Virus Laden Programs

    False Negatives

    The Security Problem


    Firewall

    IDS
    HoneyNets

    An additional layer of security

    Properties

    Captures all inbound/outbound data


    Standard production systems
    Intended to be compromised
    Data Capture
    Stealth capturing
    Storage location away from the honeynet

    Data control
    Protect the network from honeynets

    Two types
    Gen I

    Gen II

    Good for simpler attacks


    Unsophisticated targets

    Sophisticated Data Control :


    Stealth Fire-walling

    Limited Data Control

    Gen I chosen

    GATech Honeynet System


    Huge network
    4 TB data processing/day

    CONFIG

    Sub-standard systems
    Open Source Software
    Simple Firewall Data
    Control

    IDS
    Invisible SNORT Monitor
    Promiscuous mode
    Two SNORT Sessions
    Session 1

    Session 2

    Signature Analysis

    Packet Capture

    Monitoring

    DATA CAPTURE

    Data Analysis

    SNORT

    DATA CAPTURE

    Requires human resources

    All packet logs stored

    One hour daily !

    Ethereal used

    Forensic Analysis

    Detected Exploitations

    16 compromises detected
    Worm attacks

    Hacker Attacks

    DETECTING WORM EXPLOITS


    Honey Net traffic is Suspicious
    Heuristic for worm detection:
    Frequent port scans
    Specific OS-vulnerability monitoring possible
    Captured traffic helps signature development

    SAGA of the WAREZ Hacker


    Helped locate a compromised host
    Honeynet

    Very difficult to detect


    otherwise !

    IIS Exploit Warez Server


    + Backdoor

    Words of Wisdom

    Start small
    Good relationships help
    Focus on Internal attacks
    Dont advertise
    Be prepared to spend time

    Conclusion

    Helped locate compromised systems


    Can boost IDS research
    Data capture

    Distributed Honey nets ?

    Hunting down Honeypots


    http://www.send-safe.com/honeypot-hunter.php

    Discussion

    The usefulness of the extra layer ?


    Dynamic HoneyNets
    Comparison with IDS: are these a
    replacement or complementary ?

    HONEY
    NET

    IDS

    IDS vs HoneyNet

    IDS primary function is detection and


    alerting
    Honeynets use IDS to detect and alert
    but nothing is done to control the
    threat
    Primary intent is to log and capture effects
    and activities of the threat
    Honeynets do not protect the network they
    have protection as a benefit, not intent

    You might also like