Honeywall CD-ROM

Developers and Speakers

Dave DittrichUniversity of Washington

Rob McMillen

USMC

Jeff NathanSygate

William SaluskyAOL

A case for Honeynets

Research of attack technologies and methodologies

Root-cause analysis of attack motives "Target of choice or target of chance?"

“Getting the problem statement right” Dr. Dan Geer, Journal of the Advanced Computing Systems Association (USENIX) - June 2003, Volume 28, number 3

Self defense Incident response and forensic analysis Deception and deterrence

Problem: Simplify Honeynet deployment

Current Honeynets deployments require considerable effort. Lack of standardized deployment platform. Lack of standardized configuration mechanism to

faciliate large-scale Honeynet deployment. How can Honeynet deployment (especially large-

scale deployments) be simplified? How can Generation II Honeynet technologies be

packaged into an easy to use system?

Solution: The Honeywall

A self-contained Honeynet data control and data management system

An easily configurable system Simplify deployment and management

Build a system using a bootable CD-ROM. Simplify configuration and management using plain text

files. Use commodity PC hardware to minimize costs. Offer routing and bridging functionality to ease network

integration. Minimize customization efforts with built-in

customization hooks.

Honeywall overview

Bootable Linux CD-ROM Utilizes existing Honeynet data control and data

capture technologies. iptables (custom Honeywall configuration via

rc.firewall) Snort-inline Snort

Menu-driven configuration interface for easy configuration.

Single configuration file for interactive or automated configuration.

Honeywall implementation

Bootable Linux system from ramdisk, logging to hard disk Boot image consists of Linux kernel Kernel image contains compressed (800K) initial

ramdisk image to bootstrap system Second stage boot process contains more

complete Linux system Generation II Honeynet gateway in a box

Data control system using iptables Operates as a routing or bridging device Makes a reasonable attempt to prevent stepping stones

Honeywall implementation (continued)

Complex attack detection/mitigation using Snort-inline Hooks into iptables using queues (libipqueue), performs

Gateway Intrusion Detection Detects low-level protocol attacks abuses Can modify outgoing attacks to prevent compromise of

third-party systems

Data capture facilities using Snort and Snort-inline Captures every packet traversing the Honeywall

Honeywall implementation (continued)

(Data capture..) Generates alerts for events matching conditions within

the Snort and Snort-inline Facilitates forensic analysis of network data to identify

new tools, techniques, trend and behavioral analysis of attack incidents

Utilizes rc.conf (BSD) style configuration file to simplify system management.

Leverages commodity PC hardware and a CD-ROM for minimal deployment effort

Extensible Unix-like shell scripting architecture

Honeywall boot process

Boot Linux system from initial ramdisk (initrd) Load minimal kernel into memory

Bootstrap Honeywall using linuxrc initialization script Mount root filesystem read-write Mount /proc Attempt to mount CD-ROM Mount cramfs (compressed) filesystem from CD-

ROM on loop device

Honeywall boot process (continued)

Continue Honeywall initialization Probe hardware devices and load kernel modules Extracts tar/gzip compressed archive of

supplemental commands Update shared library cache (ldconfig) look for pre-configured Honeywall hard disk Instantiate default Honeywall packet filter Perform final configuration of data control

components Execute custom.sh

Start administration interface

Honeywall customization

Floppy disk configuration file Modify ISO w/custom script before burning

Just use custom.sh to set variables, start things Use custom.sh to communicate with central server Use SSH to set variables from central

management host Rip ISO apart, modify file system, then rebuild

Allows adding new programs, new services, new capabilities

Supports development independant of the Honeynet Project

Honeywall deployment

Requires a PC hardware with 3 network interfaces using IDE disks and 256MB RAM

Connected to an existing network of hosts by placing the Honeywall systems between possible attackers and the Honeynet systems

Honeynet deployment (continued)

Honeywall demonstration

Future work (a production system)

Integration of Honey Inspector UI Web interface to customize ISO Command shell for remote mangement Remote Honeywall Manager

Resources and questions

Email:

cdrom@honeynet.org

Watch the tools section on

http://project.honeynet.org

Questions?

Customization in more detail

How a CD-ROM is born Modification of ISO image De/reconstruction of ISO image