KFSensor Vs Honeyd - PowerPoint PPT Presentation

About This Presentation
Title:

KFSensor Vs Honeyd

Description:

OS: Windows, Linux, Unix Solaris. Installation. ARPD, Libraries Dependencies ... 1 10.0.0.1 0.456 ms 0.193 ms 0.93 ms. 2 10.2.0.1 46.799 ms 45.541 ms 51.401 ms ... – PowerPoint PPT presentation

Number of Views:712
Avg rating:3.0/5.0
Slides: 24
Provided by: LeddyL2
Category:

less

Transcript and Presenter's Notes

Title: KFSensor Vs Honeyd


1
KFSensor Vs Honeyd
Sunil Gurung 60-475 Security and Privacy on the
Internet
  • Honeypot System

2
  • Agenda
  • Introduction
  • Honeypot Technology
  • KFSensor
  • Honeyd
  • Features
  • Tests
  • Conclusion

3
  • Introduction
  • Good Defence is Good Offence
  • Network security Firewall, IDS, antivirus.
  • Traditional approach defensive
  • Today offensive approach
  • Honeypot solutions

4
  • Honeypot Technology
  • A honeypot is security resource whose value lies
    in being probed, attacked, or compromised. -
    Lance Spitzner
  • we want attackers to probe and exploit the
    virtual system running emulated services.
  • System no production value, no traffic, most
    connection probe, attack or compromised.
  • Complements the traditional security tools.

5
Fig The basic setup up of the honeypot system.
In the figure two KFSensor are configured
production honeypots.
Figure taken from User Manual of KFSensor
Help
6
  • TYPES of ATTACKERS
  • Script Kiddies
  • Amateurs, dont care about the host
  • Educate the inadequacy of the security policy
  • Blackhat
  • Focus on high value system, more experienced
  • More dangerous and operate silently

7
  • Types of Honeypot
  • Interaction level of activity Honeypot allows
    with attacker
  • Low Interaction
  • Emulated services, easy to deploy and maintain,
    less risk.
  • Designed to capture only known attack
  • High Interaction
  • Setup real services and provides interaction with
    OS
  • More information, no assumption made give full
    open environments.
  • Can use the real honeypot to attack others.
  • Symantec Decoy Server, Honeynet

8
  • KFSensor
  • Commercial low interaction honeypot solution
  • Windows OS
  • Preconfigured services ssh, http, ftp etc
  • Easy configuration and flexible
  • Components of KFSensor
  • Scenarios, Sim Server standard and banner

9
(No Transcript)
10
  • Honeyd
  • Low interaction, open source
  • Developed by Niels Provos of U of M
  • Features service emulation and IP stack of OS
  • Product Detail
  • Software honeyd
  • Version honeyd 0.8
  • License open source
  • Download site http//honeyd.org
  • OS Windows, Linux, Unix Solaris

11
  • Installation
  • ARPD, Libraries Dependencies
  • Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz
  • Honeyd package
  • Installation process
  • tar -zvxf libevent-0.8a.tar.gz
  • Compile the libevent
  • cd libevent-0.8a (Note pwd is
    /honeyd_packages/ libevent-0.8a)
  • . /configure
  • make
  • make install

12
  • Major Differences between the two software
  • IP address assignment
  • Listening port
  • OS emulation
  • Open source advantage
  • Financial value

13
(No Transcript)
14
  • How it works
  1. Configuration File
  2. Nmap.print Xprobe2
  3. Script for running the services

15
  • Explanation of Configuration file

Example of a simple host template and its
binding annotate "AIX 4.0 - 4.2" fragment
old create template set template personality "AIX
4.0 - 4.2" add template tcp port 80 open add
template tcp port 22 open add template tcp port
23 open set template default tcp action
reset bind 192.168.1.80 template
16
  • Nmap.print and Xprobe2
  • Contributed by Felix Lindner (flindner_at_gmx.de)
  • Fingerprint AXENT Raptor Firewall running on
    Windows NT
  • TSeq(ClassTR)
  • T1(RespYDFYW2017ACKSFlagsASOpsM)
  • T2(RespN)
  • T3(RespYDFYW2017ACKSFlagsASOpsM)
  • T4(RespYDFNW0ACKSFlagsAROps)
  • T5(RespYDFNW0ACKSFlagsAROps)
  • T6(RespYDFNW0ACKSFlagsAROps)
  • T7(RespN)
  • PU(RespN)

17
  • Test Environment
  • Inside the router
  • 1) University network
  • 2) Home network putting the honeypot system
    inside the router 192.168.0.102
  • Various test performed

18
  • Testing Honeyd
  • IP of honeypot 192.168.1.122
  • IP of host running the honeypot 192.168.1.121
  • Running ARPD
  • arpd 192.168.0.0\24
  • 2) Running Honeyd
  • honeyd d f config.sample p nmap.print x
    xprobe2 l \Log File I 2

19
  • Test 1 FTP (KFSensor)

20
  • Test 2 FTP honeyd

21
  • Other possible test (Network Topology)

route entry 10.0.0.1 route 10.0.0.1 link
10.0.0.0/24 route 10.0.0.1 add net 10.1.0.0/16
10.1.0.1 latency 55ms loss 0.1 route 10.0.0.1 add
net 10.2.0.0/16 10.2.0.1 latency 20ms loss
0.1 route 10.1.0.1 link 10.1.0.0/24 route
10.2.0.1 link 10.2.0.0/24 create routerone set
routerone personality "Cisco 7206 running IOS
11.1(24)" set routerone default tcp action
reset add routerone tcp port 23
"scripts/router-telnet.pl" create netbsd set
netbsd personality "NetBSD 1.5.2 running on a
Commodore Amiga (68040 processor)" set netbsd
default tcp action reset add netbsd tcp port 22
proxy ipsrc22 add netbsd tcp port 80 "sh
scripts/web.sh" bind 10.0.0.1 routerone bind
10.1.0.2 netbsd
22
  • Results take from the abstract

traceroute -n 10.3.0.10 traceroute to 10.3.0.10
(10.3.0.10), 64 hops max 1 10.0.0.1 0.456 ms
0.193 ms 0.93 ms 2 10.2.0.1 46.799 ms 45.541 ms
51.401 ms 3 10.3.0.1 68.293 ms 69.848 ms 69.878
ms 4 10.3.0.10 79.876 ms 79.798 ms 79.926 ms
23
  • Conclusion
  • Both are low interaction
  • Honey with better feature like IP simulation and
    OS IP stack simulation
  • KFSensor better GUI easy configuration
  • Can not replace the existing system. Work better
    along with it.
Write a Comment
User Comments (0)
About PowerShow.com