KFSensor - PowerPoint PPT Presentation

About This Presentation
Title:

KFSensor

Description:

Honeypot and Intrusion Detection System Agenda Introduction Honeypot Technology KFSensor Components of KFSensor Features Tests Conclusion Introduction Increasing ... – PowerPoint PPT presentation

Number of Views:266
Avg rating:3.0/5.0
Slides: 25
Provided by: LeddyL2
Category:

less

Transcript and Presenter's Notes

Title: KFSensor


1
KFSensor
Sunil Gurung 60-475 Security and Privacy on the
Internet
  • Honeypot and Intrusion Detection System

2
  • Agenda
  • Introduction
  • Honeypot Technology
  • KFSensor
  • Components of KFSensor
  • Features
  • Tests
  • Conclusion

3
  • Introduction
  • Increasing security threats with proliferation of
    internet
  • Network security Firewall, IDS, antivirus.
  • Traditional approach defensive
  • Today offensive approach
  • Honeypot

4
  • Honeypot Technology
  • A honeypot is security resource whose value lies
    in being probed, attacked, or compromised. -
    Lance Spitzner
  • we want attackers to probe and exploit the
    virtual system running emulated services.
  • System no production value, no traffic, most
    connection probe, attack or compromised.
  • Complements the traditional security tools.

5
Fig The basic setup up of the honeypot system.
In the figure two KFSensor are configured
production honeypots.
Figure taken from User Manual of KFSensor
Help
6
  • Advantages and Disadvantages
  • Collects small set of data
  • New techniques and tools (A)
  • Minimal resources (A)
  • Information (A)
  • Simplicity (A)
  • Limited View Cant capture attacks against other
    system (D)
  • Risk taken over by the bad guys (D)

7
  • Types of Honeypot
  • Interaction level of activity Honeypot allows
    with attacker
  • Low Interaction
  • Emulated services, easy to deploy and maintain,
    less risk.
  • Designed to capture only known attack
  • High Interaction
  • Setup real services and provides interaction with
    OS
  • More information, no assumption made give full
    open environments.
  • Can use the real honeypot to attack others.

8
  • KFSensor
  • Commercial low interaction honeypot solution
  • Windows OS
  • Preconfigured services ssh, http, ftp etc
  • Easy configuration and flexible
  • Product detail
  • Software KFSensor
  • Version 2.2.1
  • License Evaluation (14 days trial)
  • Vendor Key Focus
  • Downloaded Site http//www.keyfocus.net/kfsensor/

9
  • Installations
  • Download the application from the website
  • Initial wizard setup Naming the domain, Email,
    Alerts
  • To install login as ADMINISTRATOR
  • C\kfsensor\logs XML files
  • Running the KFSensor server as daemon windows
    service. kfsnserve.exe
  • Open up the KFSensor monitor - GUI

10
  • Components of KFSensor
  • KFSensor Server
  • Performs core functionality, outsider interact
    with
  • The server, doesnt have the GUI.
  • KFSensor Monitor
  • Interprets all the data and alerts captured by
    server in graphical form.

11
(No Transcript)
12
  • Features
  • File Menu
  • Export HTML, XML, TSV or CSV , Service
  • View Menu
  • Ports View, Visitors View
  • Editing Scenarios
  • Editing Listens, Edit Rules, Sim Server

13
  • Editing Scenario

14
  • Editing Listens
  • Listen On
  • Name Identifies the listen when connection is
    made to the particular specification
  • Protocol Choice between UDP or TCP
  • Port
  • Bind Address Should specify the IP address it
    binds too.
  • Action
  • Action Type The action to performed once the
    connection is made by the outsider
  • Severity define the level of severity generated
    by the event to alert the admin.
  • Time out value in second for server to wait
    until it closes the
  • connection
  • Sim Name To specify the Sim Server.

15
  • Edit Rule

16
  • Sim Server
  • Sim Banner
  • Sim Standard Server

17
  • DOS attack configuration
  • Other FEATURES
  • Email Alerts
  • Log Database

18
  • Test Environment
  • Inside the router
  • Outside of router
  • 1) University network IP address
    137.207.238.113 Sunil.uwindsor.ca
  • 2) Home network putting the honeypot system
    inside the router 192.168.0.102
  • 3) Direct connection to internet through
    24.57.84.215
  • 4) Tested on local machine 127.0.0.1
  • Various test performed

19
  • Test 1 FTP emulation

20
  • Test 2 SMTP

21
  • Test 3 Other Test (Threats and Viruses)
  • Sasser worm TCP port 5554
  • Attacks from
  • IP 1 218.253.9.215 cm218-253-9-215.hkcable.com.
    hk
  • Toronto-HSE ppp3864532.sympatico.ca

22
  • Test 3 -Cont

IIS, Dameware, MyDoom attacks IIS Web Server,
the KFSensor can emulate highly interactive
service. Dameware is a remote control
application similar to VNC. Recently hackers use
found its vulnerability in buffer overflow and
have access to put their code. This threat uses
port 6129. MyDoom Its a DDOS attack listen on
port TCP 3127 and install a back door on the
infected system.
23
  • Test 3 - Cont

LoveGate Worm LoveGate worm infects the system
through port 20168
Port Scanning
24
  • Conclusion
  • Good user interface.
  • Easy to configure emulation services
  • Flexible
  • Minimal risk
  • Limited to only minimal transactions
  • Honeypot
  • Can not replace the existing system. Work better
    along with it.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "KFSensor" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!