Upload
nagasaikiran
View
213
Download
0
Embed Size (px)
DESCRIPTION
Honey pots is a new ppt document for the Networking.It helps to connect to the internet for transfer of information
Citation preview
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise NetworksAshish GuptaNetwork SecurityMay 2004
http://project.honeynet.org/misc/project.html
OverviewMotivationWhat are Honeypots?Gen I and Gen IIThe GeorgiaTech Honeynet SystemHardware/SoftwareIDSLogging and reviewSome detected ExploitationsWorm exploitsSage of the Warez ExploitWords of WisdomConclusions
Why Honeynets ?An additional layer of security
MotivationSecurity a serious problemMethods for detection/protection/defense:Firewall: The Traffic copIDS: detection and alertThese have shortcomings:Internal threatsVirus laden programsFalse Positives and False negativesHoneynet: An additional layerNot a panacea
Security: A serious ProblemFirewallIDSA Traffic CopProblems:Internal ThreatsVirus Laden ProgramsDetection and AlertProblems:False PositivesFalse Negatives
The Security ProblemFirewallIDSHoneyNetsAn additional layer of security
PropertiesCaptures all inbound/outbound dataStandard production systemsIntended to be compromisedData CaptureStealth capturingStorage location away from the honeynetData controlProtect the network from honeynets
Two typesGen IGen IIGood for simpler attacksUnsophisticated targetsLimited Data ControlSophisticated Data Control : Stealth Fire-wallingGen I chosen
GATech Honeynet SystemHuge network4 TB data processing/dayCONFIGSub-standard systemsOpen Source SoftwareSimple Firewall Data Control
IDSInvisible SNORT MonitorPromiscuous modeTwo SNORT SessionsSession 1Signature AnalysisMonitoringSession 2Packet CaptureDATA CAPTURE
Data AnalysisOne hour daily !Requires human resourcesForensic AnalysisSNORTDATA CAPTUREAll packet logs storedEthereal used
Detected Exploitations16 compromises detectedWorm attacksHacker Attacks
DETECTING WORM EXPLOITSHoney Net traffic is SuspiciousHeuristic for worm detection: Frequent port scansSpecific OS-vulnerability monitoring possibleCaptured traffic helps signature development
SAGA of the WAREZ HackerHelped locate a compromised host HoneynetIIS Exploit Warez Server+ BackdoorVery difficult to detect otherwise !
Words of WisdomStart smallGood relationships helpFocus on Internal attacksDont advertiseBe prepared to spend time
ConclusionHelped locate compromised systemsCan boost IDS researchData captureDistributed Honey nets ?Hunting down Honeypotshttp://www.send-safe.com/honeypot-hunter.php
DiscussionThe usefulness of the extra layer ?Dynamic HoneyNetsComparison with IDS: are these a replacement or complementary ?HONEYNETIDS
IDS vs HoneyNetIDS primary function is detection and alertingHoneynets use IDS to detect and alert but nothing is done to control the threatPrimary intent is to log and capture effects and activities of the threat
Honeynets do not protect the network they have protection as a benefit, not intent
Introduce the project.Introduce the project.Honeynets are not a panacea for security but only an additional level of protection