Honeypots and Honeynets - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Honeypots and Honeynets

Description:

Honeypots are real or emulated vulnerable systems ready ... May, 2003 - Released Eeyore. May, 2005 - Released Roo. Roo Honeywall CDROM. Based on Fedora Core 3 ... – PowerPoint PPT presentation

Number of Views:2600
Avg rating:3.0/5.0
Slides: 20
Provided by: mehedy
Category:

less

Transcript and Presenter's Notes

Title: Honeypots and Honeynets


1
Honeypots and Honeynets
  • Source The HoneyNet Project http//www.honeynet.o
    rg/
  • Mehedi Masud
  • September 19, 2007
  • Lecture 12

2
Why HoneyPots
  • A great deal of the security profession and the
    IT world depend on honeypots. Honeypots
  • Build anti-virus signatures.
  • Build SPAM signatures and filters.
  • ISPs identify compromised systems.
  • Assist law-enforcement to track criminals.
  • Hunt and shutdown botnets.
  • Malware collection and analysis.

3
What are Honeypots
  • Honeypots are real or emulated vulnerable systems
    ready to be attacked.
  • Primary value of honeypots is to collect
    information.
  • This information is used to better identify,
    understand and protect against threats.
  • Honeypots add little direct value to protecting
    your network.

4
Types of HoneyPot
  • Server Put the honeypot on the Internet and let
    the bad guys come to you.
  • Client Honeypot initiates and interacts with
    servers
  • Other Proxies

5
Types of HoneyPot
  • Low-interaction
  • Emulates services, applications, and OSs.
  • Low risk and easy to deploy/maintain, but capture
    limited information.
  • High-interaction
  • Real services, applications, and OSs
  • Capture extensive information, but high risk and
    time intensive to maintain.

6
Examples Of Honeypots
  • BackOfficer Friendly
  • KFSensor
  • Honeyd
  • Honeynets

Low Interaction
High Interaction
7
Honeynets
  • High-interaction honeypot designed to capture
    in-depth information.
  • Information has different value to different
    organizations.
  • Its an architecture you populate with live
    systems, not a product or software.
  • Any traffic entering or leaving is suspect.

8
How It Works
  • A highly controlled network where every packet
    entering or leaving is monitored, captured, and
    analyzed.
  • Data Control
  • Data Capture
  • Data Analysis

9
Honeynet Architecture
10
Data Control
  • Mitigate risk of honeynet being used to harm
    non-honeynet systems.
  • Count outbound connections.
  • IPS (Snort-Inline)
  • Bandwidth Throttling

11
No Data Control
12
Data Control
13
Data Capture
  • Capture all activity at a variety of levels.
  • Network activity.
  • Application activity.
  • System activity.

14
Sebek
  • Hidden kernel module that captures all host
    activity
  • Dumps activity to the network.
  • Attacker cannot sniff any traffic based on magic
    number and dst port.

15
Sebek Architecture
16
Honeywall CDROM
  • Attempt to combine all requirements of a
    Honeywall onto a single, bootable CDROM.
  • May, 2003 - Released Eeyore
  • May, 2005 - Released Roo

17
Roo Honeywall CDROM
  • Based on Fedora Core 3
  • Vastly improved hardware and international
    support.
  • Automated, headless installation
  • New Walleye interface for web based
    administration and data analysis.
  • Automated system updating.

18
Installation
  • Just insert CDROM and boot, it installs to local
    hard drive.
  • After it reboots for the first time, it runs a
    hardening script based on NIST and CIS security
    standards.
  • Following installation, you get a command prompt
    and system is ready to configure.

19
Further Information
  • http//www.honeynet.org/
  • http//www.honeynet.org/book
Write a Comment
User Comments (0)
About PowerShow.com