Honeywall CDROM - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Honeywall CDROM

Description:

'Target of choice or target of chance?' 'Getting the problem statement right' ... Self defense. Incident response and forensic analysis. Deception and deterrence ... – PowerPoint PPT presentation

Number of Views:127
Avg rating:3.0/5.0
Slides: 19
Provided by: Christin532
Category:

less

Transcript and Presenter's Notes

Title: Honeywall CDROM


1
Honeywall CD-ROM
2
Developers and Speakers
  • Dave Dittrich
  • University of Washington
  • Rob McMillen
  • USMC
  • Jeff Nathan
  • Sygate
  • William Salusky
  • AOL

3
A case for Honeynets
  • Research of attack technologies and methodologies
  • Root-cause analysis of attack motives
  • "Target of choice or target of chance?"
  • Getting the problem statement right Dr. Dan
    Geer, Journal of the Advanced Computing Systems
    Association (USENIX) - June 2003, Volume 28,
    number 3
  • Self defense
  • Incident response and forensic analysis
  • Deception and deterrence

4
Problem Simplify Honeynet deployment
  • Current Honeynets deployments require
    considerable effort.
  • Lack of standardized deployment platform.
  • Lack of standardized configuration mechanism to
    faciliate large-scale Honeynet deployment.
  • How can Honeynet deployment (especially
    large-scale deployments) be simplified?
  • How can Generation II Honeynet technologies be
    packaged into an easy to use system?

5
Solution The Honeywall
  • A self-contained Honeynet data control and data
    management system
  • An easily configurable system
  • Simplify deployment and management
  • Build a system using a bootable CD-ROM.
  • Simplify configuration and management using plain
    text files.
  • Use commodity PC hardware to minimize costs.
  • Offer routing and bridging functionality to ease
    network integration.
  • Minimize customization efforts with built-in
    customization hooks.

6
Honeywall overview
  • Bootable Linux CD-ROM
  • Utilizes existing Honeynet data control and data
    capture technologies.
  • iptables (custom Honeywall configuration via
    rc.firewall)
  • Snort-inline
  • Snort
  • Menu-driven configuration interface for easy
    configuration.
  • Single configuration file for interactive or
    automated configuration.

7
Honeywall implementation
  • Bootable Linux system from ramdisk, logging to
    hard disk
  • Boot image consists of Linux kernel
  • Kernel image contains compressed (800K) initial
    ramdisk image to bootstrap system
  • Second stage boot process contains more complete
    Linux system
  • Generation II Honeynet gateway in a box
  • Data control system using iptables
  • Operates as a routing or bridging device
  • Makes a reasonable attempt to prevent stepping
    stones

8
Honeywall implementation (continued)
  • Complex attack detection/mitigation using
    Snort-inline
  • Hooks into iptables using queues (libipqueue),
    performs Gateway Intrusion Detection
  • Detects low-level protocol attacks abuses
  • Can modify outgoing attacks to prevent compromise
    of third-party systems
  • Data capture facilities using Snort and
    Snort-inline
  • Captures every packet traversing the Honeywall

9
Honeywall implementation (continued)
  • (Data capture..)
  • Generates alerts for events matching conditions
    within the Snort and Snort-inline
  • Facilitates forensic analysis of network data to
    identify new tools, techniques, trend and
    behavioral analysis of attack incidents
  • Utilizes rc.conf (BSD) style configuration file
    to simplify system management.
  • Leverages commodity PC hardware and a CD-ROM for
    minimal deployment effort
  • Extensible Unix-like shell scripting architecture

10
Honeywall boot process
  • Boot Linux system from initial ramdisk (initrd)
  • Load minimal kernel into memory
  • Bootstrap Honeywall using linuxrc initialization
    script
  • Mount root filesystem read-write
  • Mount /proc
  • Attempt to mount CD-ROM
  • Mount cramfs (compressed) filesystem from CD-ROM
    on loop device

11
Honeywall boot process (continued)
  • Continue Honeywall initialization
  • Probe hardware devices and load kernel modules
  • Extracts tar/gzip compressed archive of
    supplemental commands
  • Update shared library cache (ldconfig)
  • look for pre-configured Honeywall hard disk
  • Instantiate default Honeywall packet filter
  • Perform final configuration of data control
    components
  • Execute custom.sh
  • Start administration interface

12
Honeywall customization
  • Floppy disk configuration file
  • Modify ISO w/custom script before burning
  • Just use custom.sh to set variables, start things
  • Use custom.sh to communicate with central server
  • Use SSH to set variables from central management
    host
  • Rip ISO apart, modify file system, then rebuild
  • Allows adding new programs, new services, new
    capabilities
  • Supports development independant of the Honeynet
    Project

13
Honeywall deployment
  • Requires a PC hardware with 3 network interfaces
    using IDE disks and 256MB RAM
  • Connected to an existing network of hosts by
    placing the Honeywall systems between possible
    attackers and the Honeynet systems

14
Honeynet deployment (continued)
15
Honeywall demonstration
16
Future work (a production system)
  • Integration of Honey Inspector UI
  • Web interface to customize ISO
  • Command shell for remote mangement
  • Remote Honeywall Manager

17
Resources and questions
  • Email
  • cdrom_at_honeynet.org
  • Watch the tools section on
  • http//project.honeynet.org
  • Questions?

18
Customization in more detail
  • How a CD-ROM is born
  • Modification of ISO image
  • De/reconstruction of ISO image
Write a Comment
User Comments (0)
About PowerShow.com