370 likes | 494 Views
HoneyNets, Intrusion Detection Systems, and Network Forensics. Introduction. Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of the Georgia Tech Campus Network Current Vulnerabilities on the Internet
E N D
HoneyNets, Intrusion Detection Systems, and Network Forensics
Introduction • Definition of a Honeynet • Concept of Data Capture and Data Control • Generation I vs. Generation II Honeynets • Description of the Georgia Tech Campus Network • Current Vulnerabilities on the Internet • Current Tools to Protect Networks • Firewalls • Intrusion Detection Systems (IDS) ECE 4112-Internetwork Security
Shortcomings Associated with Firewalls 1. The firewall cannot protect against attacks that bypass it, such as a dial–in or dial-out capability. 2. The firewall at the network interface does not protect against internal threats. 3. The firewall cannot protect against the transfer of virus–laden files and programs ECE 4112-Internetwork Security
Shortcomings Associated with Intrusion Detection Systems • Increase Complexity of Security Management of Network • High Level of False Positive and False Negative Alerts • Must Know Signature or Anomoly Detection Pattern ECE 4112-Internetwork Security
Definition of a Honeynet • Network Established Behind a Reverse Firewall • Captures All In-Bound and Out-Bound Traffic • Any Type of System • Network is Intended To Be Compromised • All Honeynet traffic is suspicious ECE 4112-Internetwork Security
Data Capture and Data Control • Data Capture • Collect all information entering and leaving the Honeynet covertly for future analysis • Data Control • Covertly protect other networks from being attacked and compromised by computers on the Honeynet ECE 4112-Internetwork Security
Generation I vs. Generation II • GEN I Honeynet • Simple Methodology, Limited Capability • Highly effective at detecting automated attacks • Use Reverse Firewall for Data Control • Can be fingerprinted by a skilled hacker • Runs at OSI Layer 3 • GEN II Honeynet • More Complex to Deploy and Maintain • Examine Outbound Data and make determination to block, pass, or modify data • Runs at OSI Layer 2 ECE 4112-Internetwork Security
Georgia Tech Campus Network • 15000 Students, 5000 Staff, 69 Departments • 30000-35000 networked computers on campus • Average data throughput 600Mbps/4 terabytes per day • NO FIREWALL BETWEEN CAMPUS & INTERNET! • Why? Requirement for Academic Freedom, high throughput • However, individual enclaves within Georgia Tech use firewalls • IDS is run at campus gateway • Out of band monitoring and follow-on investigation ECE 4112-Internetwork Security
Establishment of the Honeynet on the Georgia Tech Campus • Established in Summer of 2002 • Uses Open Source Software • Initially Established As One Honeynet Machine behind the firewall • IP Address Range Provided by Georgia Tech Office of Information Technology (OIT) ECE 4112-Internetwork Security
Georgia Tech Honeynet ECE 4112-Internetwork Security
Hardware and Software • No Requirement for State of the Art Equipment (Surplus Equipment) • No Production Systems • Minimum Traffic • Use Open Source Software (SNORT, Ethereal, MySQL DB, ACID) • Use Reverse Firewall Script Developed by Honeynet.org ECE 4112-Internetwork Security
Intrusion Detection System Used with HoneyNet • SNORT • Open Source • Signature-Based, with Anomaly-Based Plug-in Available • Can Write Customized Signatures • Run Two Separate SNORT Sessions • One Session to Check Against Signature Database • One Session to Capture All Inbound/Outbound Traffic ECE 4112-Internetwork Security
Analysis Console for Intrusion Detection (ACID) ECE 4112-Internetwork Security
Logging and Review of Data • Honeynet Data is stored in two separate locations • Alert Data is stored in SQL database • Packet Capture Data is stored in a daily archive file • Data Analysis is a time consuming process In our Experience: • One hour/day to analyze traffic • One hour of attack traffic can result up to one week of analysis ECE 4112-Internetwork Security
Ethereal Analysis Tool ECE 4112-Internetwork Security
Exploitations Detected on the Georgia Tech Honeynet • 36 possible exploited machines have been detected at Georgia Tech in previous 9 months (through June 2003) • A report is made to OIT on each suspected compromise ECE 4112-Internetwork Security
Identification of a System with a Compromised Password • Previously Compromised Honeynet Computer Continued to Operate as Warez Server • Another Georgia Tech Computer Connected to the Warez Server • Investigation Revealed that Password had been Compromised on Second Georgia Tech Computer ECE 4112-Internetwork Security
Detection of Worm Type Exploits • GEN I Honeynet Well-Suited to Detect Worm Type Exploits • Repeated Scans targeting specific ports • Analyze captured data for time lapses • Ability to Deploy Specific Operating System on Honeynet ECE 4112-Internetwork Security
Exploitation Pattern of Typical Internet Worm • Target Vulnerabilities on Specific Operating Systems • Localized Scanning to Propagate (Code Red) • 3/8 of time within same /16 network • 1/2 of time within same /8 network • 1/8 of time random address • Allows for Quick Infection Within Internal Networks with High Concentration of Vulnerable Hosts ECE 4112-Internetwork Security
Georgia Tech Honeynet Gen II ECE 4112-Internetwork Security
Initial Observations of Gen II Honeynet • Configuration is more complex than Gen I • Must use variants of Linux 2.4 kernel in order to run Sebek keystroke logger capability • Data must continue to be monitored on a daily basis ECE 4112-Internetwork Security
Honeynet Portscan Activity • Date Public: 7/24/02 Date Attack: 1/25/03 ECE 4112-Internetwork Security
Honeynet Portscan Activity • Date Public: 7/16/03 Date Attack: 8/11/03 ECE 4112-Internetwork Security
Honeynet Portscan Activity • Date Public: 8/15/2003 Date Attack: 8/22/03 ECE 4112-Internetwork Security
Conclusions on HoneyNets • Honeynet Assists in Maintaining Network Security • Provides Platform for Research in Information Assurance and Intrusion Detection ECE 4112-Internetwork Security
IDS - Purpose • Misuse detection • Anomaly detection • Conduct forensics • Network traffic recording and analysis • Intellectual property protection ECE 4112-Internetwork Security
IDS Strategies • Signature-based (misuse detection) • pattern matching • cannot detect new attacks • low false positive rate • Anomaly-based (statistical-based) • activity monitoring • has the ability to detect new attacks • higher false positive rate ECE 4112-Internetwork Security
IDS Deployment • Network-based • Inspect network traffic • Monitor user activity (packet data) • Host-based • Inspect local network activity • OS audit functionality • Monitor user activity (function calls) ECE 4112-Internetwork Security
Example IDS:Snort • Sniffer • Packet logger • IDS ECE 4112-Internetwork Security
Snort Rules Example 1: “log tcp traffic from any port going to ports less than or equal to 6000” log tcp any any -> 192.168.1.0/24 :6000 Example 2: RPC alert call alert tcp any any -> 192.168.1.0/24 111 (rpc: 100000, *,3; msg:RPC getport (TCP);) see Snort Users Manual for more information ECE 4112-Internetwork Security
Defeating the IDS • Encryption • Insertion/evasion attacks (requires complete reassembly of packets and knowledge of end system exception handling) • DoS attack (CPU, memory, bandwidth, false positives) ECE 4112-Internetwork Security
Signs of Intrusion • Unaccountable disk utilization • Unaccountable file system modification • Unaccountable CPU utilization • Network saturation • Unknown process using sockets • Abnormal network/system activity ECE 4112-Internetwork Security
Forensics • After the attack • Obtain: • Attacker(s) IP(s) • Time of attack • Victim IP, OS, and targeted service • Attacker’s activity • Attacker’s objective • Damage assessment ECE 4112-Internetwork Security
Forensic Guidance • Photograph complete system • Take detailed notes • ID and secure all compromised systems • Preserve evidence (UNIX) • who (who logged on) • ls (list of files) • ps (list of processes) • lsof (open file handles) • find (modified files) ECE 4112-Internetwork Security
Forensic Guidance • System operations can lie (rootkits) • Retain a provable chain of custody for evidence • Make bit-image copy of hard drive and verify it • Analyze ECE 4112-Internetwork Security