CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003.
-
Upload
kathryn-carter -
Category
Documents
-
view
213 -
download
1
Transcript of CSCE 815 Network Security Lecture 24 Your Jail and HoneyNets April 17, 2003.
CSCE 815 Network Security CSCE 815 Network Security Lecture 24 Lecture 24CSCE 815 Network Security CSCE 815 Network Security Lecture 24 Lecture 24
Your Jail and HoneyNetsYour Jail and HoneyNets
April 17, 2003
– 2 – CSCE 815 Sp 03
Network Administrator ToolsNetwork Administrator Tools
Network Administration toolsNetwork Administration tools (MSDOS/Windows) ipconfig ifconfig netstat /etc/… not really tools as much as files /sbin/…
Find ethernet/IP addressesFind ethernet/IP addresses
More toolsMore tools http://newsforge.com/newsforge/02/12/12/0232235.shtml?tid
=23
– 3 – CSCE 815 Sp 03
Chroot JailsChroot Jails
References:References: http://librenix.com/ general purpose security/Linux site http://www.gsyc.inf.uc3m.es/~assman/jail/index.html
chroot environment: chroot environment:
– 4 – CSCE 815 Sp 03
Chroot ImplementationChroot Implementation
– 5 – CSCE 815 Sp 03
The Hacker CommunityThe Hacker Community
The Black Hat CommunityThe Black Hat Community
FactsFacts 20 Unique Scans a day Fastest Compromise – 15 minutes Default RH 6.2 life expectancy is 72 Hrs 100-200% increase in activity from 2000 to 2001
Source:http://project.honeynet.org/papers/stats
– 6 – CSCE 815 Sp 03
What needs to be done?What needs to be done?
AwarenessAwareness : To raise awareness about new and : To raise awareness about new and existing threats and attacks existing threats and attacks
InformationInformation: Collect information about attacks and : Collect information about attacks and people who cause them, their tools and techniquespeople who cause them, their tools and techniques
AnalysisAnalysis: Assess vulnerabilities in the system : Assess vulnerabilities in the system
– 7 – CSCE 815 Sp 03
Deploying a Gen II HoneynetDeploying a Gen II Honeynet
Objective: Objective: To learn about threats and attacks on the most vulnerable
Unix and Windows based applications To learn about tools and techniques used by the attackers To collect and analyze attack data
– 8 – CSCE 815 Sp 03
HoneypotHoneypot
Operating system with applications vulnerable to Operating system with applications vulnerable to attacksattacks
Designed to capture all activities generated by an Designed to capture all activities generated by an intruderintruder
Types:Types:Production Honeypot-Low Interaction- Simulated Environment
Eg. Specter, BOFResearch Honeypot- High Interaction-Learning purposes
– 9 – CSCE 815 Sp 03
HoneynetHoneynet
Comprised of high interaction honeypotsComprised of high interaction honeypots
Simulates a real/production environmentSimulates a real/production environment
Components:Components: Data Control: Comprised honeypot should not be used
to attack systems Data Capture: Capture Attacker’s activity Eg:
Keystrokes Data Collection: Collecting honeynet data in a remote
machine
– 10 – CSCE 815 Sp 03
Gen I HoneynetGen I Honeynet
Placed on an isolated networkPlaced on an isolated network
Firewall and Router are used as Firewall and Router are used as Access Control DevicesAccess Control Devices
Better Data control than a Better Data control than a traditional honeypot traditional honeypot
– 11 – CSCE 815 Sp 03
Limitations of Gen I HoneypotLimitations of Gen I Honeypot
Easily DetectableEasily DetectableOutbound packets have TTL decrement at the routing firewall
(Layer 3 device) Intruder can fingerprint the network
Poor Data Control mechanismPoor Data Control mechanism Intruder can use the system to attack other systemsAbsence of Content-Based detection
– 12 – CSCE 815 Sp 03
Gen II HoneynetGen II Honeynet
Goals of Gen II HoneynetGoals of Gen II Honeynet
1.Undetectable System1.Undetectable System Placed in a production network Access control implemented by a gateway device (layer 2 device) Absence of TTL decrement
2.Efficient Data Control mechanisms
– 13 – CSCE 815 Sp 03
Deploying a Gen II HoneynetDeploying a Gen II Honeynet
– 14 – CSCE 815 Sp 03
How to do implement the HoneynetHow to do implement the Honeynet
Building the HoneypotsBuilding the Honeypots
Building the SensorBuilding the SensorBridge ConstructionKernel HardeningData ControlData CaptureData Collection
– 15 – CSCE 815 Sp 03
Building HoneypotsBuilding Honeypots
Cleaning the machineCleaning the machineFWipe (Linux)Eraser (Windows)
Linux HoneypotLinux HoneypotRedhat7.3, Kernel 2.4.8-13 Apache server, SSH,FTP,Telnet
Windows HoneypotWindows HoneypotDefault installation of Windows 2000 server IIS Web Server,IE,Microsoft SQL Server
– 16 – CSCE 815 Sp 03
Honeynet BridgeHoneynet Bridge
Internet
Eth0-NO IP
Eth1-NO IP
129.252.140.3 192.252.140.7
AdministrativeInterfaceSSH ConnectionsTrusted Hosts
Eth2- 129.252.xxx.yyy
– 17 – CSCE 815 Sp 03
Honeynet Communication ChannelHoneynet Communication Channel
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
Eth1-Promiscuous Mode Eth0-Promiscuous Mode
IP Forwarding
Source IP: 129.252.140.7Destination IP: 208.122.101.1TTL : 30Source MAC : 07 E2 G5 89 P1Destination MAC:0H F5 7F 2L G2
Src IP: 129.252.140.7Dest IP: 208.122.101.1TTL : 30Src MAC:07 E2 G5 89 P1Dest MAC:0H F5 7F 2L G2
Hub
– 18 – CSCE 815 Sp 03
Kernel Hardening Kernel Hardening
Bastille LinuxBastille Linux Non-executable IP user stack Secures /proc /var directories Prevents users from creating hard links to files that they
don’t own Restricts writes into pipes
– 19 – CSCE 815 Sp 03
Data Control: Snort-Inline and IPTables Data Control: Snort-Inline and IPTables Modes of OperationModes of Operation
Connection Limiting Mode: Count packets by protocol type Drop Mode: Libipq reads packets from kernel space.Packets are
matched against snort signatures and dropped if there is a match Replace Mode: Packets are matched against snort signatures and if
they match the harmful content of packet is scrubbed and returned to the attacker
– 20 – CSCE 815 Sp 03
Connection Limiting ModeConnection Limiting Mode
Hub
Data ControlSnort-InlineIPTables
Enemy
DROP
Packet No =10
IPTables
– 21 – CSCE 815 Sp 03
Snort-Inline Drop ModeSnort-Inline Drop Mode
Enemy Data ControlSnort-Inline
Hub
IP Tables
Ip_queue
Snort-InlineSnort Rules=Drop
IPTables Drop
– 22 – CSCE 815 Sp 03
Snort-Inline Replace ModeSnort-Inline Replace Mode
Enemy Data ControlSnort-Inline
Hub
IP Tables
Ip_queue
Snort-InlineSnort Rules=Replace
IPTables
bin/sh->ben/sh
– 23 – CSCE 815 Sp 03
Protect the Administrator InterfaceProtect the Administrator Interface
PortsentryPortsentry Detects SYN/Half Open, FIN, NULL scans Will block host in real time and report to the administrator
– 24 – CSCE 815 Sp 03
Data Control: Tripwire Data Control: Tripwire
Maintains integrity of data on the systemMaintains integrity of data on the system
Creates cryptographic checksums of files and Creates cryptographic checksums of files and directoriesdirectories
Reports when changes are made toReports when changes are made to Access permissions, inode number, Userid, groupid, date
and time, size
– 25 – CSCE 815 Sp 03
Data Capture MechanismsData Capture Mechanisms
Snort-InlineSnort-Inline
Comlog: Log commands executed by cmd.exe Comlog: Log commands executed by cmd.exe (Windows)(Windows)
Eventlog: forwards packets to syslog server(Windows)Eventlog: forwards packets to syslog server(Windows)
Sebek: (Linux)Sebek: (Linux) Keystroke logging Uses UDP connection
– 26 – CSCE 815 Sp 03
Data CollectionData Collection
Syslog:Syslog: To deceive intruder maintain another Syslog.conf file in a
different location Remote Syslog
Stored data on remote machine
– 27 – CSCE 815 Sp 03
Data AnalysisData Analysis
Log Sentry:Log Sentry:• Audits logs and reports any violations
The @stake Sleuth Kit:The @stake Sleuth Kit:• Analyses images generated by dd command
Converts and copies a file
• Displays deleted files• Creates timeline for file activity
– 28 – CSCE 815 Sp 03
Top 10 Attacked ServicesTop 10 Attacked Services
Linux Based AttackLinux Based Attack RPC Apache SSH SNMP FTP R-Services LPD Sendmail BIND/DNS Weak accounts
Windows Based AttackWindows Based Attack IIS MDAC Microsoft SQL Server NETBIOS Weak LM Hashing Anonymous Logon Weak accounts IE Remote Registry Access Windows Scripting Host
– 29 – CSCE 815 Sp 03
Risk AnalysisRisk Analysis
Placed on the 129.252.140 SubnetPlaced on the 129.252.140 Subnet Can be shut down in case of emergency
Efficient Data Control MechanismsEfficient Data Control Mechanisms Firewall (Connection Limiting Mode) Snort-Inline (Drop Mode)
– 30 – CSCE 815 Sp 03
ReferencesReferences
Librenix: http://librenix.comfirewallsLibrenix: http://librenix.comfirewalls types of firewalls configurations access contro
Newsforge: Newsforge: http://newsforge.com/newsforgehttp://newsforge.com/newsforge
Deploying a GenII Honeynet: MS Thesis Harish Deploying a GenII Honeynet: MS Thesis Harish SiripurapuSiripurapu