140 likes | 292 Views
Honeynet. Jonas Pfoh, Daniel Angermeier. Overview. Introduction Definition Goals Tools Outline Organizational aspects. Introduction. Jonas Pfoh M.S. I20, Chair for IT-Security, Prof. Dr. Eckert Virtual machine introspection and intrusion detection methods Daniel Angermeier
E N D
Honeynet Jonas Pfoh, Daniel Angermeier
Overview • Introduction • Definition • Goals • Tools • Outline • Organizational aspects Honeynets 2
Introduction • Jonas Pfoh • M.S. • I20, Chair for IT-Security, Prof. Dr. Eckert • Virtual machine introspection and intrusion detection methods • Daniel Angermeier • Dipl.-Inf. • I20, Chair for IT-Security, Prof. Dr. Eckert • String distance based malicious site detection & Collaborative Intrusion Detection Honeynets 3
Definition • „A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.“ [1] • Honeynet: network of honeypots Honeynets 4
Goals • Intrusion detection • Analyzing attacks • Harvesting malware • Testbed for security tools Honeynets 5
Tools • VMware Server • Virtualization for honeypot machines • Isolation between honeynet and maintenance network • Virtual machines easily restorable • tcpdump • Raw packet capturing for analysis • MySQL • Database storing preprocessed data • SQL interface for further analysis Honeynets 6
Tools • Sebek • Sebek client Resident on each honeypot Keylogging & module hiding (“rootkit”) hooks “open” and “read” system calls (Linux) • Sebek server Resident on the monitoring machine Client output aggregation Writes to MySQL database • Communication performed covertly (“ideally”) Honeynets 7
Tools • ebtables • L2 packet filter • Hides Sebek packets from honeypots • Snort • IDS • Categorization • Writes to MySQL database • p0f • (Passive) OS fingerprinting • Writes to MySQL database Honeynets 8
Outline • Week 1: Introduction • Week 2: Architecture, OSs and services • Week 3: Honeynet configuration & Sebek • Week 4: Firewall • Whitsun break Honeynets 9
Outline • Week 5: Monitoring • Week 6: Monitoring in action • Week 7: Setup presentations • Week 8: Setup presentations continued • Week 9: Consolidation Honeynets 10
Outline • Week 10: Malware session and “opening the floodgates” • Week 11: An attacker's perspective • Week 12: Analysis phase • Week 13: Analysis phase ctd. • Week 14: Final presentations Honeynets 11
Organizational aspects • Lab tasks • Graded homework to be submitted via email to: honeynet-homework@sec.in.tum.de • Mailing list: honeynet-praktikum@sec.in.tum.de Honeynets 12
Organizational aspects • Grading: • Participation and lab tasks 10% • Graded homework 25% • Midterm presentation 25% • Final presentation and result 40% • Presentations: 20% style, 80% content • 0 points in any aspect makes 0 total Honeynets 13
Literature [1] Michael Vrable , Justin Ma , Jay Chen , David Moore , Erik Vandekieft , Alex C. Snoeren , Geoffrey M. Voelker , Stefan Savage, Scalability, fidelity, and containment in the potemkin virtual honeyfarm, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom. Honeynets 14