HoneyNets, Intrusion Detection Systems, and Network Forensics
description
Transcript of HoneyNets, Intrusion Detection Systems, and Network Forensics
![Page 1: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/1.jpg)
1
HoneyNets, Intrusion Detection
Systems, and Network Forensics
![Page 2: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/2.jpg)
ECE 4112-Internetwork Security 2
Introduction
• Definition of a Honeynet• Concept of Data Capture and Data Control• Generation I vs. Generation II Honeynets• Description of the Georgia Tech Campus Network• Current Vulnerabilities on the Internet• Current Tools to Protect Networks
Firewalls Intrusion Detection Systems (IDS)
![Page 3: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/3.jpg)
ECE 4112-Internetwork Security 3
Shortcomings Associated with Firewalls
1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability.
2. The firewall at the network interface does not protect against internal threats.
3. The firewall cannot protect against the transfer of virus–laden files and programs
![Page 4: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/4.jpg)
ECE 4112-Internetwork Security 4
Shortcomings Associated with Intrusion Detection Systems
1. Increase Complexity of Security Management of Network
2. High Level of False Positive and False Negative Alerts
3. Must Know Signature or Anomoly Detection Pattern
![Page 5: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/5.jpg)
ECE 4112-Internetwork Security 5
Definition of a Honeynet
• Network Established Behind a Reverse Firewall
• Captures All In-Bound and Out-Bound Traffic
• Any Type of System
• Network is Intended To Be Compromised
• All Honeynet traffic is suspicious
![Page 6: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/6.jpg)
ECE 4112-Internetwork Security 6
Data Capture and Data Control
• Data Capture Collect all information entering and leaving the
Honeynet covertly for future analysis
• Data Control Covertly protect other networks from being
attacked and compromised by computers on the Honeynet
![Page 7: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/7.jpg)
ECE 4112-Internetwork Security 7
Generation I vs. Generation II
• GEN I Honeynet Simple Methodology, Limited Capability Highly effective at detecting automated attacks Use Reverse Firewall for Data Control Can be fingerprinted by a skilled hacker Runs at OSI Layer 3
• GEN II Honeynet More Complex to Deploy and Maintain Examine Outbound Data and make determination to block,
pass, or modify data Runs at OSI Layer 2
![Page 8: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/8.jpg)
ECE 4112-Internetwork Security 8
Georgia Tech Campus Network• 15000 Students, 5000 Staff, 69 Departments • 30000-35000 networked computers on campus• Average data throughput 600Mbps/4 terabytes per
day• NO FIREWALL BETWEEN CAMPUS &
INTERNET! Why? Requirement for Academic Freedom, high
throughput However, individual enclaves within Georgia Tech use
firewalls
• IDS is run at campus gateway Out of band monitoring and follow-on investigation
![Page 9: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/9.jpg)
ECE 4112-Internetwork Security 9
Establishment of the Honeynet on the Georgia Tech Campus
• Established in Summer of 2002
• Uses Open Source Software
• Initially Established As One Honeynet Machine behind the firewall
• IP Address Range Provided by Georgia Tech Office of Information Technology (OIT)
![Page 10: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/10.jpg)
ECE 4112-Internetwork Security 10
Georgia Tech Honeynet
![Page 11: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/11.jpg)
ECE 4112-Internetwork Security 11
Hardware and Software
• No Requirement for State of the Art Equipment (Surplus Equipment)
• No Production Systems• Minimum Traffic• Use Open Source Software (SNORT,
Ethereal, MySQL DB, ACID)• Use Reverse Firewall Script Developed by
Honeynet.org
![Page 12: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/12.jpg)
ECE 4112-Internetwork Security 12
Intrusion Detection System Used with HoneyNet
• SNORT Open Source Signature-Based, with Anomaly-Based Plug-in
Available Can Write Customized Signatures
• Run Two Separate SNORT Sessions One Session to Check Against Signature Database One Session to Capture All Inbound/Outbound Traffic
![Page 13: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/13.jpg)
ECE 4112-Internetwork Security 13
Analysis Console for Intrusion Detection (ACID)
![Page 14: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/14.jpg)
ECE 4112-Internetwork Security 14
Logging and Review of Data
• Honeynet Data is stored in two separate locations Alert Data is stored in SQL database Packet Capture Data is stored in a daily archive file
• Data Analysis is a time consuming process In our Experience: One hour/day to analyze traffic One hour of attack traffic can result up to one week of
analysis
![Page 15: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/15.jpg)
ECE 4112-Internetwork Security 15
Ethereal Analysis Tool
![Page 16: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/16.jpg)
ECE 4112-Internetwork Security 16
Exploitations Detected on the Georgia Tech Honeynet
• 36 possible exploited machines have been detected at Georgia Tech in previous 9 months (through June 2003)
• A report is made to OIT on each suspected compromise
![Page 17: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/17.jpg)
ECE 4112-Internetwork Security 17
Identification of a System with a Compromised Password
• Previously Compromised Honeynet Computer Continued to Operate as Warez Server
• Another Georgia Tech Computer Connected to the Warez Server
• Investigation Revealed that Password had been Compromised on Second Georgia Tech Computer
![Page 18: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/18.jpg)
ECE 4112-Internetwork Security 18
Detection of Worm Type Exploits
• GEN I Honeynet Well-Suited to Detect Worm Type Exploits Repeated Scans targeting specific ports Analyze captured data for time lapses
• Ability to Deploy Specific Operating System on Honeynet
![Page 19: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/19.jpg)
ECE 4112-Internetwork Security 19
Exploitation Pattern of Typical Internet Worm
• Target Vulnerabilities on Specific Operating Systems
• Localized Scanning to Propagate (Code Red) 3/8 of time within same /16 network 1/2 of time within same /8 network 1/8 of time random address
• Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts
![Page 20: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/20.jpg)
ECE 4112-Internetwork Security 20
Georgia Tech Honeynet Gen II
![Page 21: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/21.jpg)
ECE 4112-Internetwork Security 21
Initial Observations of Gen II Honeynet
• Configuration is more complex than Gen I
• Must use variants of Linux 2.4 kernel in order to run Sebek keystroke logger capability
• Data must continue to be monitored on a daily basis
![Page 22: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/22.jpg)
ECE 4112-Internetwork Security 22
Honeynet Portscan ActivityPort 1434 (MS-SQL) scans
0
200
400
600
800
1000
1200
Jul_
31
Aug_06
Aug_29
Aug_21
Sep_09
Sep_17
Sep_24
Oct
_12
Oct
_04
Oct
_28
Oct
_20
Nov_
08
Nov_
09
Nov_
19
Nov_
21
Nov_
29
Dec_
05
Dec_
13
Dec_
21
Dec_
29
Jan_06
Jan_14
Jan_22
Jan_28
Feb_05
Feb_13
Feb_20
Feb_27
Mar_
07
Mar_
13
Mar_
19
Mar_
27
Apr_
04
Apr_
12
Apr_
20
Jun_10
Sep_10
Series1
• Date Public: 7/24/02 Date Attack: 1/25/03
![Page 23: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/23.jpg)
ECE 4112-Internetwork Security 23
Honeynet Portscan Activity
• Date Public: 7/16/03 Date Attack: 8/11/03
Port 135 (MS-BLASTER) scans
0
500
1000
1500
2000
2500
3000
3500
Series1
![Page 24: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/24.jpg)
ECE 4112-Internetwork Security 24
Honeynet Portscan Activity
• Date Public: 8/15/2003 Date Attack: 8/22/03
Port 554 (RTSP) scans
0
5
10
15
20
25
30
35
40
5/2
0/2
003
5/2
7/2
003
6/3
/2003
6/1
0/2
003
6/1
7/2
003
6/2
4/2
003
7/1
/2003
7/8
/2003
7/1
5/2
003
7/2
2/2
003
7/2
9/2
003
8/5
/2003
8/1
2/2
003
8/1
9/2
003
8/2
6/2
003
9/2
/2003
9/9
/2003
![Page 25: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/25.jpg)
ECE 4112-Internetwork Security 25
Conclusions on HoneyNets
• Honeynet Assists in Maintaining Network Security
• Provides Platform for Research in Information Assurance and Intrusion Detection
![Page 26: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/26.jpg)
ECE 4112-Internetwork Security 26
IDS - Purpose
• Misuse detection
• Anomaly detection
• Conduct forensics
• Network traffic recording and analysis
• Intellectual property protection
![Page 27: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/27.jpg)
ECE 4112-Internetwork Security 27
IDS Strategies
• Signature-based (misuse detection) pattern matching cannot detect new attacks low false positive rate
• Anomaly-based (statistical-based) activity monitoring has the ability to detect new attacks higher false positive rate
![Page 28: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/28.jpg)
ECE 4112-Internetwork Security 28
IDS Deployment
• Network-based Inspect network traffic Monitor user activity (packet data)
• Host-based Inspect local network activity OS audit functionality Monitor user activity (function calls)
![Page 29: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/29.jpg)
ECE 4112-Internetwork Security 29
Example IDS:Snort
• Sniffer
• Packet logger
• IDS
![Page 30: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/30.jpg)
ECE 4112-Internetwork Security 30
Snort Rules
Example 1: “log tcp traffic from any port going to ports less than or equal to 6000”log tcp any any -> 192.168.1.0/24 :6000
Example 2: RPC alert call
alert tcp any any -> 192.168.1.0/24 111 (rpc: 100000, *,3; msg:RPC getport (TCP);)
see Snort Users Manual for more information
![Page 31: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/31.jpg)
ECE 4112-Internetwork Security 31
Defeating the IDS
• Encryption• Insertion/evasion attacks (requires complete
reassembly of packets and knowledge of end system exception handling)
• DoS attack (CPU, memory, bandwidth, false positives)
![Page 32: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/32.jpg)
ECE 4112-Internetwork Security 32
Signs of Intrusion
• Unaccountable disk utilization
• Unaccountable file system modification
• Unaccountable CPU utilization
• Network saturation
• Unknown process using sockets
• Abnormal network/system activity
![Page 33: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/33.jpg)
ECE 4112-Internetwork Security 33
Forensics
• After the attack• Obtain:
Attacker(s) IP(s) Time of attack Victim IP, OS, and targeted service Attacker’s activity Attacker’s objective Damage assessment
![Page 34: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/34.jpg)
ECE 4112-Internetwork Security 34
Forensic Guidance
• Photograph complete system• Take detailed notes• ID and secure all compromised systems• Preserve evidence (UNIX)
who (who logged on) ls (list of files) ps (list of processes) lsof (open file handles) find (modified files)
![Page 35: HoneyNets, Intrusion Detection Systems, and Network Forensics](https://reader030.fdocuments.net/reader030/viewer/2022033106/56814c4f550346895db95dbc/html5/thumbnails/35.jpg)
ECE 4112-Internetwork Security 35
Forensic Guidance
• System operations can lie (rootkits)
• Retain a provable chain of custody for evidence
• Make bit-image copy of hard drive and verify it
• Analyze