1 / 24

KFSensor

Sunil Gurung [60-475] Security and Privacy on the Internet. KFSensor. Honeypot and Intrusion Detection System. Agenda Introduction Honeypot Technology KFSensor Components of KFSensor Features Tests Conclusion. Introduction Increasing security threats with proliferation of internet

judd
Download Presentation

KFSensor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sunil Gurung [60-475] Security and Privacy on the Internet KFSensor Honeypot and Intrusion Detection System

  2. Agenda • Introduction • Honeypot Technology • KFSensor • Components of KFSensor • Features • Tests • Conclusion

  3. Introduction • Increasing security threats with proliferation of internet • Network security – Firewall, IDS, antivirus. • Traditional approach – defensive • Today – offensive approach • Honeypot

  4. Honeypot Technology • “A honeypot is security resource whose value lies in being probed, attacked, or compromised.” - Lance Spitzner • we want attackers to probe and exploit the virtual system running emulated services. • System no production value, no traffic, most connection probe, attack or compromised. • Complements the traditional security tools.

  5. Fig: The basic setup up of the honeypot system. In the figure two KFSensor are configured production honeypots. Figure taken from “ User Manual of KFSensor – Help “

  6. Advantages and Disadvantages • Collects small set of data • New techniques and tools (A) • Minimal resources (A) • Information (A) • Simplicity (A) • Limited View: Can’t capture attacks against other system (D) • Risk : taken over by the bad guys (D)

  7. Types of Honeypot Interaction: level of activity Honeypot allows with attacker • Low Interaction Emulated services, easy to deploy and maintain, less risk. Designed to capture only known attack • High Interaction Setup real services and provides interaction with OS More information, no assumption made give full open environments. Can use the real honeypot to attack others.

  8. KFSensor • Commercial low interaction honeypot solution • Windows OS • Preconfigured services: ssh, http, ftp etc • Easy configuration and flexible Product detail: Software: KFSensor Version: 2.2.1 License: Evaluation (14 days trial) Vendor: Key Focus Downloaded Site: http://www.keyfocus.net/kfsensor/

  9. Installations • Download the application from the website • Initial wizard setup: Naming the domain, Email, Alerts • To install login as ADMINISTRATOR • C:\kfsensor\logs – XML files • Running the KFSensor server – as daemon – windows service. [kfsnserve.exe] • Open up the KFSensor monitor - GUI

  10. Components of KFSensor KFSensor Server Performs core functionality, outsider interact with The server, doesn’t have the GUI. KFSensor Monitor Interprets all the data and alerts captured by server in graphical form.

  11. Features • File Menu Export [HTML, XML, TSV or CSV], Service • View Menu Ports View, Visitors View • Editing Scenarios Editing Listens, Edit Rules, Sim Server

  12. Editing Scenario

  13. Editing Listens Listen On: Name : Identifies the listen when connection is made to the particular specification Protocol: Choice between UDP or TCP Port Bind Address: Should specify the IP address it binds too. Action: Action Type: The action to performed once the connection is made by the outsider Severity: define the level of severity generated by the event to alert the admin. Time out : value in second for server to wait until it closes the connection Sim Name: To specify the Sim Server.

  14. Edit Rule

  15. Sim Server • Sim Banner • Sim Standard Server

  16. DOS attack configuration • Other FEATURES • Email Alerts • Log Database

  17. Test Environment • Inside the router • Outside of router 1) University network [IP address: 137.207.238.113 – Sunil.uwindsor.ca] 2) Home network: putting the honeypot system inside the router [192.168.0.102] 3) Direct connection to internet through [24.57.84.215] 4) Tested on local machine [127.0.0.1] Various test performed:

  18. Test 1: FTP emulation

  19. Test 2: SMTP

  20. Test 3: Other Test (Threats and Viruses) • Sasser worm: TCP port 5554 • Attacks from: • IP 1: 218.253.9.215 – cm218-253-9-215.hkcable.com.hk • Toronto-HSE ppp3864532.sympatico.ca

  21. Test 3 -Cont IIS, Dameware, MyDoom attacks IIS – Web Server, the KFSensor can emulate highly interactive service. Dameware – is a remote control application similar to VNC. Recently hackers use found its vulnerability in buffer overflow and have access to put their code. This threat uses port 6129. MyDoom – It’s a DDOS attack listen on port TCP 3127 and install a back door on the infected system.

  22. Test 3 - Cont LoveGate Worm LoveGate worm infects the system through port 20168 Port Scanning

  23. Conclusion • Good user interface. • Easy to configure emulation services • Flexible • Minimal risk • Limited to only minimal transactions Honeypot Can not replace the existing system. Work better along with it.

More Related