Small Business NIDS(Network Intrusion Detection System )HoneyD (Part 2)

1Small Business NIDSThis presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct intrusion detection of incoming network traffic. Most small businesses look at cost as a primary factor when implementing a computer network. This factor influenced our decision to look for a turn-key solution that was open source and freely available to use with little or no cost to the user.

2Why Snort & HoneyD?

3Snort + HoneyD = Low Cost NIDS solutionEmpowers Small Businesses to secure network assets and resources at very low costs.

Simple to setup and operate.

Several application configurations are available and customizable according to user requirements.

4

5HoneyD defined: Open Source software framework (Its free!).Derived from the Honeynet project in 1999. Originally developed by Dr. Neil Provos.Large community of support.Emulates various virtual Operating Systems (OS) called virtual Honeypots.

6Honey this, honey that!

7Lets clarify all this honey terminology.Honeypot: A security resource whose value value lies in being probed, attacked, or compromisedHigh-Interaction Honeypot:Uses real OS or service like File Transfer Protocol or Web Server. Low-Interaction Honeypot:Emulates OS or serviceHoneyFarm:Centralized architecture of Honeypots & Analysis tools. Honeynet: One or more High-interaction HoneypotsHoneyD: One or more Low-interaction Honeypots

8HoneyD Functions

9HoneyD Monitors unused IP addressesDetects Attacker probes on unused IP and takes over IP via ARP spoofing.Creates and routes attacker to virtual Honeypot. Creates multiple honeypots that fool attacker sinto believing they are interacting with hacked system.

10HoneyD - main featuresFEATUREDESCRIPTIONSimulation of thousands of virtual hosts Simultaneous interaction with a multitude of various virtual honeypots exhibiting different behaviors. Configuration of arbitrary servicesResponds to network connections and provides for interaction with attackers such as passive fingerprinting. Simulation of various OS at the TCP/IP stack levelFeature increases realism of emulation by deceiving attacker fingerprinting tools like Nmap and Xprobe.Simulation of arbitrary routing topologiesTopologies can be simulated with latency, packet loss, and various bandwidth characteristics.Subsystem virtualizationExamples: Web servers, FTP Servers, Email Servers.

11

12Example Network ConfigurationExample of a fully integrated network utilizing a HoneyD computer, virtual Honeypots, and real systems.

13Known Issues

14Known IssuesNaturally vulnerable to sophisticated attackers. Requires additional software to ensure security and provide tools for analysis. Configuration needs might require monitoring of network activity which increases cost of labor. Since HoneyD is classified as low-interaction, only limited amounts of information can be collected on attacker.

15SUMMARYMAIN POINTS TO REMEMBEROpen Source = low cost. Large community of support. Inherently vulnerable to attacks but simple to setup and operate.Should be installed on a secure network to prevent exploitation. Allows for network intrusions to be easily detected. In addition to HoneyD & Snort, ensure you install the following software to help with analysis and security tasks: Systrace, Honeycomb, ACID

In this presentation, we covered the following topics:

Why we chose Snort & HoneyD NIDS solutionClarified HoneyD & related terminologyExplained how HoneyD functions. Explain known issues.

16