1 / 14

An Introduction to Honeynets and Intrusion Protection Systems James Kearney Oct. 25, 2004

An Introduction to Honeynets and Intrusion Protection Systems James Kearney Oct. 25, 2004. Outline. What are honeypots/honeynets? Some basic implementation techniques What is an IPS/basic implementation General Comments Tie-in to research being done with Scott Miller.

tamar
Download Presentation

An Introduction to Honeynets and Intrusion Protection Systems James Kearney Oct. 25, 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Introduction to Honeynets and Intrusion Protection Systems James Kearney Oct. 25, 2004

  2. Outline • What are honeypots/honeynets? • Some basic implementation techniques • What is an IPS/basic implementation • General Comments • Tie-in to research being done with Scott Miller

  3. A machine deployed intentionally to be broken in to. Deceptive by design Ideally provides information about penetration attempts against your network Honeypots

  4. Honeypots - Design • Developed by what is now known as The Honeynet Project • Standardized design, based upon Linux (flexible in terms of distribution) • Based upon a particular combination of components: • Firewall • IDS • Extensive System Logging

  5. Honeypots - Implications • Two classes of Honeypots • Low-Interaction • Simulated system, many commands/capabilities compared to a normal operating system are impared. • High-Interaction • Full-blown system, running real servies • Relative risks?

  6. Honeynets • Expand the concept of a simple honeypot to a complete network of honeypots • Currently in their second generation (the topic of this presentation) • First generation tools somewhat limited in potential

  7. Honeynets - Design • Three major principles: • Data Control • Firewalls, IPS', bridging, session/rate limiting • Data Capture • IDS', Sebek (or Termlog) • Data Analysis • Honey Inspector, Sleuthkit, Sebek (web-interface), etc...

  8. Honeynets – Implications • First-gen honeynets and rate-limiting outgoing connections • Limited Lifetime • How to restore • Potential Dangers

  9. Intrusion Protection Systems • Affect in real-time the contents of a malicious payload • Example implementation • IPTables + Snort Inline

  10. Intrusion Protection Systems • Use the QUEUE target in IPTables • Snort Inline picks up the packets, using a modified ruleset (compared to common Snort implementations) • Potentially makes changes to a given packet • Modify contents to render harmless • Drop packet entirely

  11. General Comments • Ease of deployment • Necessary time/space complexity of honeynets • Bob's Theorm

  12. Work with Scott: • Modified version of a honeynet • More extensive (or completely new) uses of IPS' • Employs many techniques based upon the research already done with honeynets

  13. Questions?

  14. “Know Your Enemy”, Second Edition. The Honeynet Project. Addison-Wesley, 2004 www.honeynet.org Security-Focus' Honeypot Mailing List (honeypots@securityfocus.com) www.snort-inline.sf.net www.rootsecure.net (variety of articles used) References

More Related