Honeywall CDROM - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Honeywall CDROM

Description:

Extensible shell scripting architecture. 10. Honeywall boot process. Honeywall initialization ... and other 'hook' scripts. Start administration interface. 11 ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 17
Provided by: Christin532
Category:
Tags: cdrom | honeywall

less

Transcript and Presenter's Notes

Title: Honeywall CDROM


1
Honeywall CD-ROM
2
Developers and Speakers
  • Dave Dittrich
  • University of Washington
  • Rob McMillen
  • USMC
  • Jeff Nathan
  • Sygate
  • William Salusky
  • AOL

3
A case for Honeynets
  • Research of attack technologies and methodologies
  • Root-cause analysis of attack motives
  • "Target of choice or target of chance?"
  • Getting the problem statement right Dr. Dan
    Geer, Journal of the Advanced Computing Systems
    Association (USENIX) - June 2003, Volume 28,
    number 3
  • Self defense
  • Incident response and forensic analysis
  • Deception and deterrence

4
Problem Simplify Honeynet deployment
  • Current Honeynets deployments require
    considerable effort.
  • Lack of standardized deployment platform.
  • Lack of standardized configuration mechanism to
    faciliate large-scale Honeynet deployment.
  • How can Honeynet deployment (especially
    large-scale deployments) be simplified?
  • How can Generation II Honeynet technologies be
    packaged into an easy to use system?

5
Solution The Honeywall
  • A self-contained Honeynet data control and data
    management system
  • An easily configurable system
  • Simplify deployment and management
  • Build a system using a bootable CD-ROM.
  • Simplify configuration and management using plain
    text files.
  • Use commodity PC hardware to minimize costs.
  • Offer routing and bridging functionality to ease
    network integration.
  • Minimize customization efforts with built-in
    customization hooks.

6
Honeywall overview
  • Bootable Linux CD-ROM
  • Utilizes existing Honeynet data control and data
    capture technologies.
  • iptables (custom Honeywall configuration via
    rc.firewall)
  • Snort-inline
  • Snort
  • Menu-driven configuration interface for easy
    configuration.
  • Single configuration file for interactive or
    automated configuration.

7
Honeywall implementation
  • Bootable Linux system from ramdisk, logging to
    hard disk
  • Boot image consists of Linux kernel
  • Kernel image contains compressed initial ramdisk
    image to bootstrap system
  • Second stage boot process contains more complete
    Linux system
  • Generation II Honeynet gateway in a box
  • Data control system using iptables
  • Operates as a routing or bridging device
  • Makes a reasonable attempt to prevent stepping
    stones

8
Honeywall implementation (continued)
  • Complex attack detection/mitigation using
    Snort-inline
  • Hooks into iptables using queues (libipqueue),
    performs Gateway Intrusion Detection
  • Detects low-level protocol attacks abuses
  • Can modify outgoing attacks to prevent compromise
    of third-party systems
  • Data capture facilities using Snort and
    Snort-inline
  • Captures every packet traversing the Honeywall

9
Honeywall implementation (continued)
  • (Data capture..)
  • Generates alerts for events matching conditions
    within the Snort and Snort-inline
  • Facilitates forensic analysis of network data to
    identify new tools, techniques, trend and
    behavioral analysis of attack incidents
  • Leverages commodity PC hardware and a CD-ROM for
    minimal deployment effort
  • Extensible shell scripting architecture

10
Honeywall boot process
  • Honeywall initialization
  • Extracts tar/gzip compressed archive of
    supplemental commands
  • Look for pre-configured Honeywall hard disk
  • Perform final configuration of data control
    components
  • Execute custom.sh and other hook scripts
  • Start administration interface

11
Honeywall customization
  • Floppy disk configuration file
  • Modify ISO w/custom script before burning
  • Just use custom.sh to set variables, start things
  • Use custom.sh to communicate with central server
  • Use SSH to set variables from central management
    host
  • Rip ISO apart, modify file system, then rebuild
  • Allows adding new programs, new services, new
    capabilities
  • Supports development independant of the Honeynet
    Project

12
Honeywall deployment
  • Requires a PC hardware with 3 network interfaces
    using IDE disks and 256MB RAM
  • Connected to an existing network of hosts by
    placing the Honeywall systems between possible
    attackers and the Honeynet systems

13
Honeynet deployment (continued)
14
Future work (a production system)
  • Integration of Honey Inspector UI
  • Web interface to customize ISO
  • Command shell for remote mangement
  • Remote Honeywall Manager

15
Resources and questions
  • Email
  • cdrom_at_honeynet.org
  • Watch the tools section on
  • http//project.honeynet.org
  • Questions?

16
Customization in more detail
  • How a CD-ROM is born
  • Modification of ISO image
  • De/reconstruction of ISO image
Write a Comment
User Comments (0)
About PowerShow.com