Download Kf - University of Windsor

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts
no text concepts found
Transcript 
Sunil Gurung
[60-475] Security and Privacy on the Internet
KFSensor Vs Honeyd
Honeypot System
Agenda
• Introduction
• Honeypot Technology
• KFSensor
• Honeyd
• Features
• Tests
• Conclusion
Introduction
• Good Defence is Good Offence
• Network security – Firewall, IDS, antivirus.
• Traditional approach – defensive
• Today – offensive approach
• Honeypot solutions
Honeypot Technology
• “A honeypot is security resource whose value lies in
being probed, attacked, or compromised.” - Lance
Spitzner
• we want attackers to probe and exploit the virtual
system running emulated services.
• System no production value, no traffic, most
connection probe, attack or compromised.
• Complements the traditional security tools.
Fig:
The basic setup
up of the honeypot
system. In the
figure two
KFSensor are
configured
production
honeypots.
Figure taken from “
User Manual of
KFSensor – Help “
TYPES of ATTACKERS
1) Script Kiddies
- Amateurs, don’t care about the host
- Educate the inadequacy of the security policy
1) Blackhat
- Focus on high value system, more
experienced
- More dangerous and operate silently
Types of Honeypot
Interaction: level of activity Honeypot allows with attacker
• Low Interaction
Emulated services, easy to deploy and maintain, less risk.
Designed to capture only known attack
• High Interaction
Setup real services and provides interaction with OS
More information, no assumption made give full open environments.
Can use the real honeypot to attack others.
Symantec Decoy Server, Honeynet
KFSensor
• Commercial low interaction honeypot solution
• Windows OS
• Preconfigured services: ssh, http, ftp etc
• Easy configuration and flexible
• Components of KFSensor
• Scenarios, Sim Server – standard and banner
Honeyd
• Low interaction, open source
• Developed by Niels Provos of U of M
• Features: service emulation and IP stack of OS
• Product Detail
•
•
•
•
•
Software: honeyd
Version: honeyd 0.8
License: open source
Download site: http://honeyd.org
OS: Windows, Linux, Unix – Solaris
Installation
• ARPD, Libraries Dependencies
• Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz
• Honeyd package
Installation process:
# tar -zvxf libevent-0.8a.tar.gz
Compile the libevent:
# cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a)
#. /configure
# make
# make install
Major Differences between the two software
•
•
•
•
•
IP address assignment
Listening port
OS emulation
Open source advantage
Financial value
How it works
1. Configuration File
2. Nmap.print &
Xprobe2
3. Script for running
the services
Explanation of Configuration file
# Example of a simple host template and its
binding
annotate "AIX 4.0 - 4.2" fragment old
create template
set template personality "AIX 4.0 - 4.2"
add template tcp port 80 open
add template tcp port 22 open
add template tcp port 23 open
set template default tcp action reset
bind 192.168.1.80 template
Nmap.print and Xprobe2
# Contributed by Felix Lindner ([email protected])
Fingerprint AXENT Raptor Firewall running on Windows NT
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T7(Resp=N)
PU(Resp=N)
Test Environment
•
Inside the router
1) University network
2) Home network: putting the honeypot system inside the
router [192.168.0.102]
Various test performed:
Testing Honeyd
IP of honeypot: 192.168.1.122
IP of host running the honeypot: 192.168.1.121
1) Running ARPD
#arpd 192.168.0.0\24
2) Running Honeyd
#honeyd –d –f config.sample –p nmap.print –x
xprobe2 –l \”Log File” –I 2
Test 1: FTP (KFSensor)
Test 2: FTP honeyd
Other possible test (Network Topology)
route entry 10.0.0.1
route 10.0.0.1 link 10.0.0.0/24
route 10.0.0.1 add net 10.1.0.0/16 10.1.0.1 latency 55ms loss 0.1
route 10.0.0.1 add net 10.2.0.0/16 10.2.0.1 latency 20ms loss 0.1
route 10.1.0.1 link 10.1.0.0/24
route 10.2.0.1 link 10.2.0.0/24
create routerone
set routerone personality "Cisco 7206 running IOS 11.1(24)"
set routerone default tcp action reset
add routerone tcp port 23 "scripts/router-telnet.pl"
create netbsd
set netbsd personality "NetBSD 1.5.2 running on a Commodore
Amiga (68040 processor)"
set netbsd default tcp action reset
add netbsd tcp port 22 proxy $ipsrc:22
add netbsd tcp port 80 "sh scripts/web.sh"
bind 10.0.0.1 routerone
bind 10.1.0.2 netbsd
Results – take from the abstract
$ traceroute -n 10.3.0.10
traceroute to 10.3.0.10 (10.3.0.10), 64 hops max
1 10.0.0.1 0.456 ms 0.193 ms 0.93 ms
2 10.2.0.1 46.799 ms 45.541 ms 51.401 ms
3 10.3.0.1 68.293 ms 69.848 ms 69.878 ms
4 10.3.0.10 79.876 ms 79.798 ms 79.926 ms
Conclusion
• Both are low interaction
• Honey with better feature like IP simulation and
OS IP stack simulation
• KFSensor better GUI easy configuration
Can not replace the existing system. Work better
along with it.
Related documents