Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Deep packet inspection wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Distributed firewall wikipedia , lookup
Network tap wikipedia , lookup
Security-focused operating system wikipedia , lookup
Unix security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct intrusion detection of incoming network traffic. Most small businesses look at cost as a primary factor when implementing a computer network. This factor influenced our decision to look for a turn-key solution that was open source and freely available to use with little or no cost to the user. Why Snort & HoneyD? Honey this, Honey that! HoneyD functions Known Issues Snort + HoneyD = Low Cost NIDS solution Empowers Small Businesses to secure network assets and resources at very low costs. Simple to setup and operate. Several application configurations are available and customizable according to user requirements. HoneyD defined: 1. Open Source software framework (It’s free!). 2. Derived from the Honeynet project in 1999. 3. Originally developed by Dr. Neil Provos. 4. Large community of support. 5. Emulates various virtual Operating Systems (OS) called virtual Honeypots. www.honeyd.org/phpBB2/ www.linuxforums.org/forum/linux-security www.backtrack-linux.org/forums/ Let’s clarify all this honey terminology. Honeypot: A security resource whose value value lies in being probed, attacked, or compromised HONEYD High-Interaction Honeypot: Uses real OS or service like File Transfer Protocol or Web Server. Low-Interaction Honeypot: Emulates OS or service HoneyFarm: High Interaction HONEYPOT HONEYFARM Centralized architecture of Honeypots & Analysis tools. Honeynet: One or more High-interaction Honeypots HoneyD: One or more Low-interaction Honeypots Low Interaction HONEYPOT HONEYNET HoneyD 1. Monitors unused IP addresses 2. Detects Attacker probes on unused IP and takes over IP via ARP spoofing. 3. Creates and routes attacker to virtual Honeypot. 4. Creates multiple honeypots that fool attacker sinto believing they are interacting with hacked system. HoneyD - main features FEATURE DESCRIPTION Simulation of thousands of Simultaneous interaction with a multitude of various virtual hosts virtual honeypots exhibiting different behaviors. Configuration of arbitrary Responds to network connections and provides for services interaction with attackers such as passive fingerprinting. Simulation of various OS at the Feature increases realism of emulation by deceiving TCP/IP stack level attacker fingerprinting tools like Nmap and Xprobe. Simulation of arbitrary routing Topologies can be simulated with latency, packet loss, and topologies various bandwidth characteristics. Subsystem virtualization Examples: Web servers, FTP Servers, Email Servers. Example Network Configuration Example of a fully integrated network utilizing a HoneyD computer, virtual Honeypots, and real systems. Known Issues SYSTRACE •Naturally vulnerable to sophisticated attackers. •Requires additional software to ensure security and provide tools for analysis. •Configuration needs might require • Sandbox to prevent exploitation of Honeypots (i.e. bugs, mistakes in the setup) HoneyComb • Provides an interface between HoneyD and Snort. monitoring of network activity which increases cost of labor. Snort •Since HoneyD is classified as low- • Packet Sniffer. interaction, only limited amounts of information can be collected on attacker. ACID for Snort • Provides a user friendly GUI for analysis purposes. SUMMARY MAIN POINTS TO REMEMBER In this presentation, we covered the following topics: Open Source = low cost. •Why we chose Snort & HoneyD NIDS solution •Clarified HoneyD & related terminology •Explained how HoneyD functions. •Explain known issues. Inherently vulnerable to attacks but Large community of support. simple to setup and operate. Should be installed on a secure network to prevent exploitation. Allows for network intrusions to be easily detected. In addition to HoneyD & Snort, ensure you install the following software to help with analysis and security tasks: Systrace, Honeycomb, ACID