Embed Size (px)
Citation preview
Advanced Attack Detection andInfrastructure Protection
Sean Ensz –OU IT Security Analyst
Sallie Wright –OSU IT Security Officer
Dr. Mark Weiser –OSU Director of CTANS
Agenda
• Technical Overview – Sean Ensz
• Production Benefits – Sallie Wright
• Research Benefits – Dr. Mark Weiser
Technical Overview
• Core system based on a Honeynet design– A Honeynet is a network of honeypots– A honeypot is an information system resource
whose value lies in illicit use of that resource– A honeypot has no legitimate users– Any traffic going to and from the system in
inherently suspicious
*Source: www.honeynet.org
Vmware ESX
EdgeIron 24GConsole
FOUNDRYNETWORKS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Power
Diag
RPU
21 22 23 24 1 3 5 7 9 11 13 15 17 19 21 23
2 4 6 8 10 12 14 16 18 20 22 24
Link/Act
FDX
Link/Act
FDX
Local DB Switch
VLAN Trunk
Management VLAN Trunk
Honeypot
Honeypot
Honeypot Honeypot
Honeypot
Honeypot
Honeywall Layer 2 Bridge
Log Generators
Log Subsystems
Log Collectors
Actions
Network Traffic Network TrafficNet Switch Honeywall Hosts
Snort IPTables pcap Evt Logs Sebek HIDSFlow Data
MySQL
Local DB
-Rebuild Honeypot-Assign Initial Severity-Export
Export
Export TablesMySQL
Central DB
-Increase Severity-Add to Null Route Table
Store
Future Improvements
• Honeywall– Needs better hardware & network driver support– Beta version to be released today
• Host based logging– Currently relies on Sebek – Lacks host log and process tree support– Working with Third Brigade to develop a honeypot
version of their product
Production Benefits
No real securityProgram
WIDE OPEN
IT Security Office
Policy FocusCentral Anti-virus
IDS
Border FirewallIT Security PlanLaBrea Tarpit
Anti-SpamIntrusion Prevention
SystemAIPS
2000
2001-2002
2003-2004
2005
OSU IT Systems SecurityEvolution
AIPS Production Benefits
•Identification of malicious hosts
•Ability to block at the border of Oklahoma’s OneNet state-wide network
Collaboration
•A key benefit is the ability to provide academic programs with tools to research
•Develop new ways to strengthen overall IT security.
Production Goal
•To contain and prevent intrusions while providing the data
•Flow analysis to tune the IT security process.
Research Benefits
• How This May Be Extended – Future Research – Related Endeavors
Day Zero Signature
ExistingSignatures
CandidateDetects
HN DesignAttacks
HN WildAttacks
Day ZeroSignature
AI/Neural Nets
Other Methods
Validation
MiddleWare
Honeynet“Solution”
Platform-neutralSolution (file) Middleware
Router D
escription /A
ccess Information
Router/Firewall
Basic Near-Real-Time Activity Detector
• Low-cost log gathering w/ local analysis
• Central Cumulative Analysis
• Trigger points distribute alerts to subscribers
