300 likes | 313 Views
Learn about network administrator tools like ipconfig, ifconfig, netstat, and more. Explore the concept of Chroot Jails and deploying Gen.I and Gen.II Honeynets for network security.
E N D
CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003
Network Administrator Tools • Network Administration tools • (MSDOS/Windows) ipconfig • ifconfig • netstat • /etc/… not really tools as much as files • /sbin/… • Find ethernet/IP addresses • More tools • http://newsforge.com/newsforge/02/12/12/0232235.shtml?tid=23
Chroot Jails • References: • http://librenix.com/ general purpose security/Linux site • http://www.gsyc.inf.uc3m.es/~assman/jail/index.html • chroot environment:
The Hacker Community • The Black Hat Community • Facts • 20 Unique Scans a day • Fastest Compromise – 15 minutes • Default RH 6.2 life expectancy is 72 Hrs • 100-200% increase in activity from 2000 to 2001 Source:http://project.honeynet.org/papers/stats
What needs to be done? • Awareness : To raise awareness about new and existing threats and attacks • Information: Collect information about attacks and people who cause them, their tools and techniques • Analysis: Assess vulnerabilities in the system
Deploying a Gen II Honeynet • Objective: • To learn about threats and attacks on the most vulnerable Unix and Windows based applications • To learn about tools and techniques used by the attackers • To collect and analyze attack data
Honeypot • Operating system with applications vulnerable to attacks • Designed to capture all activities generated by an intruder • Types: • Production Honeypot-Low Interaction- Simulated Environment Eg. Specter, BOF • Research Honeypot- High Interaction-Learning purposes
Honeynet • Comprised of high interaction honeypots • Simulates a real/production environment • Components: • Data Control: Comprised honeypot should not be used to attack systems • Data Capture: Capture Attacker’s activity Eg: Keystrokes • Data Collection: Collecting honeynet data in a remote machine
Gen I Honeynet • Placed on an isolated network • Firewall and Router are used as Access Control Devices • Better Data control than a traditional honeypot
Limitations of Gen I Honeypot • Easily Detectable • Outbound packets have TTL decrement at the routing firewall (Layer 3 device) • Intruder can fingerprint the network • Poor Data Control mechanism • Intruder can use the system to attack other systems • Absence of Content-Based detection
Gen II Honeynet • Goals of Gen II Honeynet • 1.Undetectable System • Placed in a production network • Access control implemented by a gateway device (layer 2 device) • Absence of TTL decrement 2.Efficient Data Control mechanisms
How to do implement the Honeynet • Building the Honeypots • Building the Sensor • Bridge Construction • Kernel Hardening • Data Control • Data Capture • Data Collection
Building Honeypots • Cleaning the machine • FWipe (Linux) • Eraser (Windows) • Linux Honeypot • Redhat7.3, Kernel 2.4.8-13 • Apache server, SSH,FTP,Telnet • Windows Honeypot • Default installation of Windows 2000 server • IIS Web Server,IE,Microsoft SQL Server
Honeynet Bridge 129.252.140.3 192.252.140.7 Eth1-NO IP Eth2- 129.252.xxx.yyy • Administrative • Interface • SSH Connections • Trusted Hosts Eth0-NO IP Internet
Honeynet Communication Channel Eth1-Promiscuous Mode Eth0-Promiscuous Mode Src IP: 129.252.140.7 Dest IP: 208.122.101.1 TTL : 30 Src MAC:07 E2 G5 89 P1 Dest MAC:0H F5 7F 2L G2 Source IP: 129.252.140.7 Destination IP: 208.122.101.1 TTL : 30 Source MAC : 07 E2 G5 89 P1 Destination MAC:0H F5 7F 2L G2 Hub IP Forwarding
Kernel Hardening • Bastille Linux • Non-executable IP user stack • Secures /proc /var directories • Prevents users from creating hard links to files that they don’t own • Restricts writes into pipes
Data Control: Snort-Inline and IPTables • Modes of Operation • Connection Limiting Mode: Count packets by protocol type • Drop Mode: Libipq reads packets from kernel space.Packets are matched against snort signatures and dropped if there is a match • Replace Mode: Packets are matched against snort signatures and if they match the harmful content of packet is scrubbed and returned to the attacker
Connection Limiting Mode IPTables IPTables Packet No =10 DROP
Snort-Inline Drop Mode Drop IPTables IP Tables Snort-Inline Snort Rules=Drop Ip_queue
Snort-Inline Replace Mode IPTables IP Tables Snort-Inline Snort Rules=Replace bin/sh->ben/sh Ip_queue
Protect the Administrator Interface • Portsentry • Detects SYN/Half Open, FIN, NULL scans • Will block host in real time and report to the administrator
Data Control: Tripwire • Maintains integrity of data on the system • Creates cryptographic checksums of files and directories • Reports when changes are made to • Access permissions, inode number, Userid, groupid, date and time, size
Data Capture Mechanisms • Snort-Inline • Comlog: Log commands executed by cmd.exe (Windows) • Eventlog: forwards packets to syslog server(Windows) • Sebek: (Linux) • Keystroke logging • Uses UDP connection
Data Collection • Syslog: • To deceive intruder maintain another Syslog.conf file in a different location • Remote Syslog • Stored data on remote machine
Data Analysis • Log Sentry: • Audits logs and reports any violations • The @stake Sleuth Kit: • Analyses images generated by dd command • Converts and copies a file • Displays deleted files • Creates timeline for file activity
Linux Based Attack RPC Apache SSH SNMP FTP R-Services LPD Sendmail BIND/DNS Weak accounts Windows Based Attack IIS MDAC Microsoft SQL Server NETBIOS Weak LM Hashing Anonymous Logon Weak accounts IE Remote Registry Access Windows Scripting Host Top 10 Attacked Services
Risk Analysis • Placed on the 129.252.140 Subnet • Can be shut down in case of emergency • Efficient Data Control Mechanisms • Firewall (Connection Limiting Mode) • Snort-Inline (Drop Mode)
References • Librenix: http://librenix.comfirewalls • types of firewalls • configurations • access contro • Newsforge: http://newsforge.com/newsforge • Deploying a GenII Honeynet: MS Thesis Harish Siripurapu