1 / 14

Honeynet

Honeynet. Jonas Pfoh, Daniel Angermeier. Overview. Introduction Definition Goals Tools Outline Organizational aspects. Introduction. Jonas Pfoh M.S. I20, Chair for IT-Security, Prof. Dr. Eckert Virtual machine introspection and intrusion detection methods Daniel Angermeier

kiara
Download Presentation

Honeynet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Honeynet Jonas Pfoh, Daniel Angermeier

  2. Overview • Introduction • Definition • Goals • Tools • Outline • Organizational aspects Honeynets 2

  3. Introduction • Jonas Pfoh • M.S. • I20, Chair for IT-Security, Prof. Dr. Eckert • Virtual machine introspection and intrusion detection methods • Daniel Angermeier • Dipl.-Inf. • I20, Chair for IT-Security, Prof. Dr. Eckert • String distance based malicious site detection & Collaborative Intrusion Detection Honeynets 3

  4. Definition • „A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.“ [1] • Honeynet: network of honeypots Honeynets 4

  5. Goals • Intrusion detection • Analyzing attacks • Harvesting malware • Testbed for security tools Honeynets 5

  6. Tools • VMware Server • Virtualization for honeypot machines • Isolation between honeynet and maintenance network • Virtual machines easily restorable • tcpdump • Raw packet capturing for analysis • MySQL • Database storing preprocessed data • SQL interface for further analysis Honeynets 6

  7. Tools • Sebek • Sebek client  Resident on each honeypot  Keylogging & module hiding (“rootkit”)  hooks “open” and “read” system calls (Linux) • Sebek server  Resident on the monitoring machine  Client output aggregation  Writes to MySQL database • Communication performed covertly (“ideally”) Honeynets 7

  8. Tools • ebtables • L2 packet filter • Hides Sebek packets from honeypots • Snort • IDS • Categorization • Writes to MySQL database • p0f • (Passive) OS fingerprinting • Writes to MySQL database Honeynets 8

  9. Outline • Week 1: Introduction • Week 2: Architecture, OSs and services • Week 3: Honeynet configuration & Sebek • Week 4: Firewall • Whitsun break Honeynets 9

  10. Outline • Week 5: Monitoring • Week 6: Monitoring in action • Week 7: Setup presentations • Week 8: Setup presentations continued • Week 9: Consolidation Honeynets 10

  11. Outline • Week 10: Malware session and “opening the floodgates” • Week 11: An attacker's perspective • Week 12: Analysis phase • Week 13: Analysis phase ctd. • Week 14: Final presentations Honeynets 11

  12. Organizational aspects • Lab tasks • Graded homework to be submitted via email to: honeynet-homework@sec.in.tum.de • Mailing list: honeynet-praktikum@sec.in.tum.de Honeynets 12

  13. Organizational aspects • Grading: • Participation and lab tasks 10% • Graded homework 25% • Midterm presentation 25% • Final presentation and result 40% • Presentations: 20% style, 80% content • 0 points in any aspect makes 0 total Honeynets 13

  14. Literature [1] Michael Vrable , Justin Ma , Jay Chen , David Moore , Erik Vandekieft , Alex C. Snoeren , Geoffrey M. Voelker , Stefan Savage, Scalability, fidelity, and containment in the potemkin virtual honeyfarm, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom. Honeynets 14

More Related