Thursday, April 4, 2019
Analysis of Honeynets and Honeypots for Security
Analysis of H wholenessynets and king proteas for pledge de proscribedput offmentChapter 1 IntroductionH integrityynet is a kind of a meshing certification putz, near of the ne dickensrk guarantor tools we fool atomic number 18 passive in nature for congresswoman Firew comp permitelys and IDS. They prevail the propelling infobase of addressable finds and signatures and they operate on these rules. T get into is why anomaly maculation is limited exclusively to the set of available rules. Any make believeivity t govern on is non in alignment with the authorizen rules and signatures goes under the radio spotting and ranging un find. Honeypots by founding eachows you to take the initiative, and trap those bad guys (hackers). This establishment has no production value, with no authoritative activeness. Any fundamental moveion with the king protea is considered malicious in intent. The combination of honeypots is honeynet. Basic moreovery honeypots or honeynets do not solve the trade protection problem that earmark info and knowledge that do the frame executive to enhance the general security of his engagement and administrations. This knowledge basin act as an aggression spotting form and utilise as stimulus for whatsoever early warning systems. Over the years questioners have successfully free and identified verity of worms motions using honeypots and honeynets.Honeynets extend the concept of a star honeypot to a exceedingly acquireled interlock of honeypots. A honeynet is a specialized network architecture cond in a modality to f both upon info Control, Data Capture Data assemblage. This architecture builds a controlled network that one ignore control and monitor all kind of system and network bodily function.1.1 entropy cherishive coveringIn patternation Security is the auspices of all sen rallyive instruction, electronic or early(a)wise, which is induceed by an individual or an organic law. It deals with the preservation of the confidentiality, justness and availability of info. It protects information of organizations from all kinds of banes to ensure business enterprise continuity, minimize business hurt and maximize the fall on investment and business op wayunities. Information stored is highly confidential and not for semipublic viewing. Through information security we protect its availability, privacy and legality.Information is one of most im port wineant assets of financial universes. Fortification of information assets is essendial to ascertain and obtain trust between the financial institution and its customers, importanttain compliance with the law, and protect the re throw awayation of the institution. Timely and reliable information is compulsory to procedure transactions and rein draw offment financial institution and customer decisions. A financial institutions earnings and capital disregard be adversely furbish uped, if information becomes cognize to unauthorized fall aparties is distorted or is not available when it is needed 15.1.2 Network SecurityIt is the breastplate of networks and its work from both unauthorized main course. It includes the confidentiality and integrity of all information passing with the network. It in addition includes the security of all Network devices and all information assets connected to a network as rise up as egis against all kind of cognise and un cognise flak catchers.The ITU-T Security computer architecture for Open frame Interconnection (OSI) scroll X.800 and RFC 2828 argon the standard documentation defining security serve. X.800 divides the security run into 5 categories and 14 peculiar(prenominal) services which preserve be summarized as control board 1.1 OSI X.800 thick81. AUTHENTICATIONThe assurance that the communication entity is the one that it claims to be. partner Entity Au and soticationUsed in association with a logical connection to provide confidence in the identity of the entities connected.Data Origin AuthenticationIn a connectionless transfer, provides assurance that the antecedent of current info is as claimed.2. ACCESS CONTROLThe retardion of unauthorized using up of a pick (i.e., this service controls who can have access to a re theme, under what conditions access can occur, and what those accessing the resource atomic number 18 allowed to do).3. DATA CONFIDENTIALITYThe breastplate of info from unauthorized disclosure.Connection ConfidentialityThe protection of all drug forcible exerciser information on a connection.Connectionless ConfidentialityThe protection of all user info in a integrity information trapSelective-Field ConfidentialityThe confidentiality of selected fields at heart the user selective information on a connection or in a integrity selective information tote. commerce Flow ConfidentialityThe protection of the information that competency be derived from observation of occu pation flows.4. DATA lawfulnessThe assurance that data received be exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay).Connection legality with Reco genuinelyProvides for the integrity of all user data on a connection and detects any modification, insertion, deletion, or replay of any data inside an entire data sequence, with recovery attempted.Connection Integrity with bring out RecoveryAs above, but provides whole maculation without recovery.Selective-Field Connection IntegrityProvides for the integrity of selected fields inwardly the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been special, inserted, deleted, or replayed.Connectionless IntegrityProvides for the integrity of a angiotensin converting enzyme connectionless data block and whitethorn take the form of detection of data modification. Additionally, a limited form of replay detect ion may be provided.Selective-Field Connectionless IntegrityProvides for the integrity of selected fields in spite of carriage a iodine connectionless data block takes the form of determination of whether the selected fields have been modified.5. NONREPUDIATIONProvides protection against demurral by one of the entities involved in a communication of having participated in all or part of the communication.Nonrepudiation, Origin verification that the mental object was sent by the stipulate party.Nonrepudiation, DestinationProof that the pass was received by the specified party. 1 8, 9,1.3 The Security Problem remains security personnel fighting an unending interlocking to firm their digital assets against the ever change magnitude antiaircraft guns, verity of attacks and their intensity is increasing solar daylight by day. most of the attacks be detected after the do workations so there should be aw atomic number 18ness of the threats and vulnerabilities that exist in t he network today. firstly we have to understand that we cannot say that there exists a perfect secure utensil or network because the close set(predicate) we can squeeze to an arrogant secure machine is that we unplugged the network cable and advocate supply and put that machine in to a safe. Unfortunately it is not useful in that raise. We cannot turn over perfect security and perfect access at the equivalent time. We can only increase the no of doors but we cannot put wall instead of doors. In field of security we need to find the vulnerably and cultivates before they affect us. Honeypot and honeynet provides a valuable tool to collect information about the sort of assaulters in align to design and work through better defense.In the field of security it is important to hindquarters that we cannot simply state that what is the best fount of firewall? autocratic security and absolute access be the two chief points. Absolute security and absolute access argon inver se to each otherwise. If we increase the security access volition be decrease. There should be balance between absolute security and absolute defense, access is given without compromising the security.If we comp ar it to our daily lives we observe not much variety. We ar forever making decisions regarding what risks we are rambley to take. When we step out of our homes we are taking a risk. As we get into a automobile and drive to our work place there is a risk associated with it too. There is a possibility that something might happen on the highway which volition make us a part of an accident. When we fly and sit on an airplane we are willing to undergo the level of risk which is at par with the saturnine amount we are paying for this convenience. It is notice that many another(prenominal) people think motleyly about what an accep get across risk would be and in major(ip)ity cases they do go beyond this thinking. For vitrine if I am sitting upstairs in my room and have to go to work, I wont take a jump straight out of the window. It might be a faster way but the endangerment of doing so and the injury I would have to face is much greater than the convenience. It is life-sustaining for every organization to decide that between the two opposite poles of total security and total access where they need to place themselves. It is necessary for a policy to articulate this system and then further excuse the way it will be enforced with which practices and ways. Everything that is done under the name of security must rigorously agree to the policy.1.4 Types of political hackHackers are generally divide into two major categories.1.4.1 Black HatsBlack hat hackers are the biggest threat both internal and external to the IT infrastructure of any organization, as they are consistently challenging the security of applications and services. They are as well called crackers, These are the persons who specialize in unauthorized infiltration. There could be Varity of reasons for this sheath of incursion it could be for profit, for enjoyment, or for political motivations or as a part of a favorable cause. much(prenominal) infiltration often involves modification / destruction of data.1.4.2 White HatsWhite hat hackers are similar to blue hat hackers but there is a important difference that is white hat hackers do it without any criminal intention. Different companies all around the world hire/contact these kinds of persons to try on their systems and softwares. They check how secure these systems are and point out any fault they found.These hackers, to a fault cognize as ethical hackers, These are the persons or security experts who are specialize in penetration testing. These types of people are also known as tiger teams. These experts may use different types of methods and techniques to carry out their tests, including social engineering tactics, use of hacking tools, and attempts to bypass security to gain entry into protect ed areas, but they do this only to find weaknesses in the system8.1.5 Types of AttacksThere are many types of attacks that can be categorized under 2 major categories wide awake Attacks passive Attacks1.5.1 Active AttacksActive attacks involve the assailant taking the offensive and directing malicious packets towards its victims in order to gain illegitimate access of the target machine such as by execute exhaustive user password combinations as in brute-force attacks. Or by exploiting outside local vulnerabilities in services and applications that are termed as holes. Other types of attacks includeMasquerading attack when assaulter pretends to be a different entity. Attacker user fake Identity of some legitimate user. reproduce attack In Replay attack, assailant apprehends data and retransmits it to produce an unauthorized effect. It is a kind of man in middle attack. variety attack In this type of attack integrity of the message is compromise. Message or file is modified b y the attacker to achieve his malicious goals.Denial of service ( do)attack In DOS attack an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that bank on the affected computer.TCP ICMP scanning is also a form of vigorous attacks in which the attackers exploit the way protocols are designed to respond. e.g. ping of death, sync attacks etc.In all types of active attacks the attacker creates hitch over the network and transmits packets making it possible to detect and trace the attacker. Depending on the skill level, it has been observed that the skill full attackers usually attack their victims from proxy destinations that they have victimized earlier.1.5.2 Passive AttacksPassive attacks involve the attack er beingness able to intercept, collect monitor any transmission sent by their victims. hence, eavesdropping on their victim and in the performance being able to listen in to their victims or targets communications. Passive attacks are very specialized types of attacks which are aimed at obtaining information that is being transmitted over secure and equivocal channels. Since the attacker does not create any noise or minimal noise on the network so it is very difficult to detect and recognize them.Passive attacks can be divided into 2 main types, the release of message humble area and traffic epitome.Release of message content It involves protecting message content from getting in hands of unauthorized users during transmission. This can be as basic as a message delivered via a telephone conversation, instant messenger chat, email or a file.Traffic analysis It involves techniques utilize by attackers to see the actual message from encrypted intercepted messages of their v ictims. Encryption provides a means to drape the contents of a message using mathematical formulas and thus make them unreadable. The current message can only be retrieved by a reverse process called decryption. This cryptographic system is often base on a key or a password as input from the user. With traffic analysis the attacker can passively observe patterns, trends, frequencies and lengths of messages to guess the key or retrieve the original message by variant cryptanalysis systems.Chapter 2 Honeypot and Honeynet 2.1 HoneypotIs a system, or part of a system, deliberately make to invite an intruder or system cracker. Honeypots have superfluous functionality and intrusion detection systems built into them for the collection of valuable information on the intruders.The era of virtualization had its impact on security and honeypots, the connection responded, marked by the fine efforts of Niels Provos (founder of honeyd) Thorsten Holz for their masterpiece book realistic Ho neypots From Botnet tracking to Intrusion spotting in 2007.2.2 Types of HoneypotsHoneypots can be categorized into 2 main types establish on Level of interaction Deployment.2.2.1 Level of interactionLevel of interaction determines the amount of functionality a honeypot provides.2.2.1.1 Low-interaction HoneypotLow-interaction honey pots are limited in the extent of their interaction with the attacker. They are generally emulator of the services and operational systems.2.2.1.2 heights interaction HoneypotHigh-interaction honeypots are complex solution they involve with the deployment of accredited operational systems and applications. High interaction honeypots capture extensive amount of information by allowing attacker to interact with the veritable systems.2.2.2 DeploymentBased on deployment honeypot may be classified as work Honeypots query Honeypots2.2.2.1 ware HoneypotsProduction honeypots are honeypots that are placed within the production networks for the innovation o f detection. They extend the capabilities of the intrusion detection systems. These type of honeypots are developed and cond to integrate with the organizations infrastructure and scope. They are usually utilise as low-interaction honeypots but holdation may vary depending on the available funding and expertise drived by the organization.Production honeypots can be placed within the application and authentication server subnets and can identify any attacks directed towards those subnets. Thus they can be use to identify both internal and external threats for an organization. These types of honeypots can also be utilize to detect malware propagation in the network caused by zipper day exploits. Since IDSs detection is based on database signatures they fail to detect exploits that are not delimit in their databases. This is where the honeypots out shine the Intrusion detection systems. They aid the system network administrators by providing network situational awareness. On tu sh of these results administrators can take decisions necessary to add or enhance security resources of the organization e.g. firewall, IDS and IPS etc.2.2.2.1 Research HoneypotsResearch honeypots are deployed by network security researchers the whitehat hackers. Their primarily goal is to ascertain the tools, tactics techniques of the blackhat hackers by which they exploit computers network systems. These honeypots are deployed with the idea of allowing the attacker complete emancipation and in the process learn his tactics from his try within the system. Research honeypots help security researchers to isolate attacker tools they use to exploit systems. They are then carefully studied within a sand box environment to identify zero day exploits. Worms, Trojans and viruses propagating in the network can also be isolated and studied. The researchers then document their findings and share with system programmers, network and system administrators various system and anti-virus ve ndors. They provide the raw material for the rule engines of IDS, IPS and firewall system.Research Honeypots act as early warning systems. They are designed to detect and log maximal information from attackers soon enough being furtive enough not to let attackers identify them. The identity of the honeypot is crucial and we can conclude that the learning curve (from the attacker) is directly proportional to the stealthiest of thehoneypot .These types of honeypots are usually deployed at universities and by the RD departments of various organizations. These types of honeypots are usually deployed as High-Interaction honeypots.2.3 HoneynetThe concept of the honeypot is sometimes extended to a network of honeypots, known as a honeynet. In honeynet we grouped different types of honeypots with different operatrating systems which increases the probability of trap an attacker. At the same time, a setting in which the attacker explores the honeynet through network connections between th e various host systems provides superfluous prospects for monitor the attack and revealing information about the intruder. The honeynet operator can also use the honeynet for knowledge purposes, gaining valuable experience with attack strategies and digital forensics without endangering production systems.The Honeynet project is a non-profit research organization that provides tools for make and managing honeynets. The tools of the Honeynet project are designed for the latest generation of high interaction honeynets that require two enjoin networks. The honeypots reside on the first network, and the second network holds the tools for managing the honeynet. Between these tools (and facing the net income) is a device known as the honeywall. The honeywall, which is actually a kind of gateway device, captures controls, and analyzes all inbound and outward-bound traffic to the honeypots4.It is a high-interaction honeypot designed to capture wide-range of information on threats. Hi gh-interaction means that a honeynet provides existing systems, applications, and services for attackers to interact with, as opposed to low-interaction honeypots which provide emulated services and operating systems. It is through this extensive interaction we gain information on threats, both external and internal to an organization. What makes a honeynet different from most honeypots is that it is a network of real computers for attackers to interact with. These victim systems (honeypots within the honeynet) can be any type of system, service, or information you require to provide 14.2.4 Honeynet Data ManagementData management consist of three process Data control, data capture and data collection.2.4.1 Data ControlData control is the containment of employment within the honeynet. It determines the means through which the attackers activity can be restricted in a way to invalidate damaging/abusing other systems/resources through the honeynet. This demands a great deal of plan ning as we require to give the attacker freedom in order to learn from his moves and at the same time not let our resources (honeypot+bandwidth) to be used to attack, damage and abuse other hosts on the same or different subnets. painstaking measures are interpreted by the administrators of the honeynet to study and formulate a policy on attackers freedom versus containment and implement this in a way to achieve upper limit data control and yet not be discovered or identified by the attacker as a honeypot. Security is a process and is implemented in layers, various mechanisms to achieve data control are available such as firewall, counting outbound connections, intrusion detection systems,intrusion prevention systems and bandwidth restriction etc. Depending on our requirements and risk thresholds defined we can implement data control mechanisms accordingly 4.2.4.2 Data CaptureData Capture involves the capturing, monitoring and logging of allthreats and attacker activities within th e honeynet. Analysis of this captured data provides an insight on the tools, tactics, techniques and motives of the attackers. The concept is to achieve maximum logging capability at all nodes and hence log any kind of attackers interaction without the attacker knowing it. This type of stealthy logging is achieved by setting up tools and mechanisms on the honeypots to log all system activity and have network logging capability at the honeywall. Every bit of information is crucial in studying the attacker whether its a TCP port scan, remote and local exploit attempt, brute force attack, attack tool download by the haacker, various local commands run, any type of communication carried out over encrypted and unencrypted channels (mostly IRC) and any outbound connection attempt made by the attacker 25. alone of this should be logged successfully and sent over to a remote location to negate any release of data due to risk of system damage caused by attackers, such as data pass over o ut on discus etc. In order to avoid detection of this kind of activity from the attacker, data masking techniques such as encryption should be used.2.4.3 Data CollectionOnce data is captured, it is securely sent to a centralized data collection point. Data is used for analysis and archiving which is sedate from different honeynet sensors. Implementations may vary depending on the requirements of the organization, however latest implementations incorporate data collection at the honeywall gateway 19.2.5 Honeynet computer architecturesThere are three honeynet architectures namely Generation I, Generation II and Generation terzetto2.5.1 Generation I ArchitectureGen I Honeynet was developed in 1999 by the Honeynet Project. Its purpose was to capture attackers activity and give them the feeling of a real network. The architecture is simple with a firewall aided by IDS at front and honeypots placed behind it. This makes it detectable by attacker 7.2.5.2 Generation II III Architecture Gen II honeynets were first introduced in 2001 and Gen III honeynets was released in the end of 2004. Gen II honeynets were made in order to address the issues of Gen I honeynets. Gen II and Gen III honeynets have the same architecture. The only difference being improvements in deployment and management, in Gen III honeynets along with the addition of Sebek server built in the honeywall. Sebek is a stealthy capture tool showed on honeypots that capture and log all requests sent to the system read and write system call. This is very helpful in providing an insight on the attacker 7.A infrastructure change in architecture was brought about by the introduction of a single device that handles the data control and data capture mechanisms of the honeynet called the IDS Gateway or marketing-wise, the Honeywall. By making the architecture more stealthy, attackers are unbroken longer and thus more data is captured. There was also a major thrust in improving honeypot layer of data capture with the introduction of a mod UNIX and Windows based data.2.6 virtual(prenominal) HoneynetVirtualization is a technology that allows running octuple virtual machines on a single physical machine. each virtual machine can be an independent in operation(p) system installation. This is achieved by sharing the physical machines resources such as CPU, Memory, warehousing and peripherals through specialized software across multiple environments. Thus multiple virtual operational systems can run concurrently on a single physical machine 4.A virtual machine is specialized software that can run its own operating systems and applications as if it were a physical computer. It has its own CPU, RAM storage and peripherals managed by software that dynamically shares it with the physical computer hardware resources.VirtulizationA virtual Honeynet is a solution that facilitates one to run a honeynet on a single computer. We use the term virtual because all the different operating systems plac ed in the honeynet have the appearance to be running on their own, independent computer. Network to a machine on the Honeynet may point a compromised enterprise system.CHAPTER 3Design and ImplementationComputer networks, connected to the Internet are vulnerable to a variety of exploits that can compromise their intended operations. arrangements can be subject to Denial of assistance Attacks, i-e preventing other computers to gain access for the desired service (e.g. web server) or prevent them from connecting to other computers on the Internet. They can also be subject to attacks that cause them to cease operations either temporarily or permanently. A hacker may be able to compromise a system and gain finalize access as if he is the system administrator. The number of exploits targeted against various platforms, operating systems, and applications increasing regularly. Most of vulnerabilities and attack methods are detected after the exploitations and cause big loses.Following a re the main components of physical deployment of honeynet. First is the design of the Deployed Architecture. Then we installed cheerfulness Virtual box as the Virtualization software. In this we most installed three Operating System two of them will work as honey pots and one Honeywall Roo 1.4 as Honeynet transparent Gateway. snigger and sebek are the part of honeywall roo operating system. Snort as IDS and Snort-Inline as IPS. Sebek as the Data Capture tool on the honeypot.The entire OS and honeywall functionality is installed on the system it formats all the previous data from the hard disk. The only purpose now of the CDROM is to install this functionality to the local hard drive. LiveCD could not be modified, so after initiation it on the hard drive we can modify it according to our requirement. This approach help us to hold on the honeywall, allowing honeynet to use automated tools such asyumto keep packages current 31.In the following table there is a summry of products w ith features installed in honeynet and hardware requirements. Current versions of the installed products are also mention in the table.Table 3.1 Project SummaryProject SummaryFeatureProductSpecificationsHost Operating SystemWindows innkeeper 2003 R2HW Vendor HP Compaq DC 7700ProcessorIntel(R) Pentium D CPU 3GHzRAM 2GBStorage 120GBNIC 1GB Ethernet controller (public IP ) knob Operating System 1Linux, Honeywall Roo 1.4 virtuoso Processor Virtual Machine( HONEYWALL )RAM 512 MBStorage 10 GBNIC 1 100Mbps Bridged interfaceNIC 2 100Mbps host-only interfaceNIC 3 100Mbps Bridged interface(public IP ) node Operating System 2Linux, Ubuntu 8.04 LTS (Hardy Heron)Single Processor Virtual Machine( HONEYPOT )RAM 256 MBStorage 10 GBNIC 100Mbps host-only vmnet (public IP )Guest Operating System 3Windows innkeeper 2003Single Processor Virtual Machine( HONEYPOT )RAM 256 MBStorage 10 GBNIC 100Mbps host-only vmnet (public IP )Virtualization softwareSUN Virtual BoxVersion 3ArchitectureGen IIIGen III imp lemented as a virtual honeynetHoneywallRooRoo 1.4IDSSnortSnort 2.6.xIPSSnort_inlineSnort_inline 2.6.1.5Data Capture Tool (on honeypots)SebekSebek 3.2.0Honeynet Project Online raiseNovember 12, 2009 TO December 12, 20093.1 Deployed Architecture and Design3.2 Windows Server 2003 as Host OSUsability and performance of virtualization softwares are very good on windows server 2003. Windows Server 2003is aserveroperating system produced byMicrosoft. it is considered by Microsoft to be the cornerstone of itsWindows Server Systemline of business server products. Windows Server 2003 is more scalable and delivers better performance than its predecessor,Windows 2000.3.3 Ubuntu as HoneypotDetermined to use free and outdoors source software for this project, Linux was the natural choice to fill as the Host Operating System for our projects server. Ubuntu 8.04 was used as a linux based honeypot for our implementation. The concept was to setup an up-to-date Ubuntu server, cond with normally used services such as SSH, FTP, Apache, MySQL and PHP and study attacks directed towards them on the internet. Ubuntu being the most astray used Linux backdrop can prove to be a good platform to study zero day exploits. It also becomes a candidate for malware collection and a source to learn hacker tools being used on the internet. Ubuntu was successfully deployed as a virtual machine and setup in our honeynet with a host-only virtual Ethernet connection. The honeypot was made sweeter i.e. an interesting target for the attacker by setting up all services with slight settings, for example SSH allowed password based connectivity from any IP on default port 22, users created were given privileges to install and run applications, Apache index.html page was made remotely accessible with default errors and banners, MySQL default port 1434 was accessible and outbound connections were allowed but limited 3.Ubuntu is a computeroperating systembased on theDebianGNU/Linux distribution. It is na med after theSouthern Africanethical ideology Ubuntu (humanity towards others)5and is distributed asfree and open source software. Ubuntu provides an up-to-date, stable operating system for the average user, with a strong focus onusabilityand ease of installation. Ubuntu focuses onusability andsecurity. The Ubiquity installer allows Ubuntu to be installed to the hard disk from within the Live CD environment, without the need for restarting the computer prior to installation. Ubuntu also emphasizesaccessibilityandinternationalization to pass water as many people as possible 33.Ubuntu comes installed with a wide range of software that includes OpenOffice, Firefox,Empathy (Pidgin in versions before 9.10), Transmission, GIMP, and some(prenominal) lightweight games (such as Sudoku and chess). Ubuntu allows networking ports to be closed using its firewall, with customized port selectioAnalysis of Honeynets and Honeypots for SecurityAnalysis of Honeynets and Honeypots for SecurityChapter 1 IntroductionHoneynet is a kind of a network security tool, most of the network security tools we have are passive in nature for example Firewalls and IDS. They have the dynamic database of available rules and signatures and they operate on these rules. That is why anomaly detection is limited only to the set of available rules. Any activity that is not in alignment with the given rules and signatures goes under the radar undetected. Honeypots by design allows you to take the initiative, and trap those bad guys (hackers). This system has no production value, with no authorized activity. Any interaction with the honeypot is considered malicious in intent. The combination of honeypots is honeynet. Basically honeypots or honeynets do not solve the security problem but provide information and knowledge that help the system administrator to enhance the overall security of his network and systems. This knowledge can act as an Intrusion detection system and used as input for any early wa rning systems. Over the years researchers have successfully isolated and identified verity of worms exploits using honeypots and honeynets.Honeynets extend the concept of a single honeypot to a highly controlled network of honeypots. A honeynet is a specialized network architecture cond in a way to achieve Data Control, Data Capture Data Collection. This architecture builds a controlled network that one can control and monitor all kind of system and network activity.1.1 Information SecurityInformation Security is the protection of all sensitive information, electronic or otherwise, which is owned by an individual or an organization. It deals with the preservation of the confidentiality, integrity and availability of information. It protects information of organizations from all kinds of threats to ensure business continuity, minimize business damage and maximize the return on investment and business opportunities. Information stored is highly confidential and not for public viewing . Through information security we protect its availability, privacy and integrity.Information is one of most important assets of financial institutions. Fortification of information assets is essential to ascertain and maintain trust between the financial institution and its customers, maintain compliance with the law, and protect the reputation of the institution. Timely and reliable information is compulsory to process transactions and support financial institution and customer decisions. A financial institutions earnings and capital can be adversely affected, if information becomes known to unauthorized parties is distorted or is not available when it is needed 15.1.2 Network SecurityIt is the protection of networks and its services from any unauthorized access. It includes the confidentiality and integrity of all data passing through the network. It also includes the security of all Network devices and all information assets connected to a network as well as protection against a ll kind of known and unknown attacks.The ITU-T Security Architecture for Open System Interconnection (OSI) document X.800 and RFC 2828 are the standard documentation defining security services. X.800 divides the security services into 5 categories and 14 specific services which can be summarized asTable 1.1 OSI X.800 Summary81. AUTHENTICATIONThe assurance that the communicating entity is the one that it claims to be.Peer Entity AuthenticationUsed in association with a logical connection to provide confidence in the identity of the entities connected.Data Origin AuthenticationIn a connectionless transfer, provides assurance that the source of received data is as claimed.2. ACCESS CONTROLThe prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).3. DATA CONFIDENTIALITYThe protection of data from unauthorized disclosure.Connection Confid entialityThe protection of all user data on a connection.Connectionless ConfidentialityThe protection of all user data in a single data blockSelective-Field ConfidentialityThe confidentiality of selected fields within the user data on a connection or in a single data block.Traffic Flow ConfidentialityThe protection of the information that might be derived from observation of traffic flows.4. DATA INTEGRITYThe assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay).Connection Integrity with RecoveryProvides for the integrity of all user data on a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted.Connection Integrity without RecoveryAs above, but provides only detection without recovery.Selective-Field Connection IntegrityProvides for the integrity of selected fields within the user data of a data block transferred o ver a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed.Connectionless IntegrityProvides for the integrity of a single connectionless data block and may take the form of detection of data modification. Additionally, a limited form of replay detection may be provided.Selective-Field Connectionless IntegrityProvides for the integrity of selected fields within a single connectionless data block takes the form of determination of whether the selected fields have been modified.5. NONREPUDIATIONProvides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.Nonrepudiation, OriginProof that the message was sent by the specified party.Nonrepudiation, DestinationProof that the message was received by the specified party. 1 8, 9,1.3 The Security ProblemSystem security personnel fighting an unending battle to secure their digital assets against the ever increasing attacks, verity of attacks and their intensity is increasing day by day. Most of the attacks are detected after the exploitations so there should be awareness of the threats and vulnerabilities that exist in the Internet today.First we have to understand that we cannot say that there exists a perfect secure machine or network because the closest we can get to an absolute secure machine is that we unplugged the network cable and power supply and put that machine in to a safe. Unfortunately it is not useful in that state. We cannot achieve perfect security and perfect access at the same time. We can only increase the no of doors but we cannot put wall instead of doors. In field of security we need to find the vulnerably and exploits before they affect us. Honeypot and honeynet provides a valuable tool to collect information about the behavior of attackers in order to design and implement better defense.In the field of security it is important to note that we cannot simply state that what is the best type of firewall? Absolute security and absolute access are the two chief points. Absolute security and absolute access are inverse to each other. If we increase the security access will be decrease. There should be balance between absolute security and absolute defense, access is given without compromising the security.If we compare it to our daily lives we observe not much difference. We are continuously making decisions regarding what risks we are ready to take. When we step out of our homes we are taking a risk. As we get into a car and drive to our work place there is a risk associated with it too. There is a possibility that something might happen on the highway which will make us a part of an accident. When we fly and sit on an airplane we are willing to undergo the level of risk which is at par with the heavy amount we are paying for this convenience. It is observed that many people think differently about what an satisfying risk would be and in majority cases they do go beyond this thinking. For instance if I am sitting upstairs in my room and have to go to work, I wont take a jump straight out of the window. It might be a faster way but the danger of doing so and the injury I would have to face is much greater than the convenience. It is vital for every organization to decide that between the two opposite poles of total security and total access where they need to place themselves. It is necessary for a policy to articulate this system and then further explain the way it will be enforced with which practices and ways. Everything that is done under the name of security must strictly agree to the policy.1.4 Types of HackerHackers are generally divide into two major categories.1.4.1 Black HatsBlack hat hackers are the biggest threat both internal and external to the IT infrastructure of any organization, as they are consistently challenging the security of applications and services. They are also called crac kers, These are the persons who specialize in unauthorized infiltration. There could be Varity of reasons for this type of penetration it could be for profit, for enjoyment, or for political motivations or as a part of a social cause. Such infiltration often involves modification / destruction of data.1.4.2 White HatsWhite hat hackers are similar to black hat hackers but there is a important difference that is white hat hackers do it without any criminal intention. Different companies all around the world hire/contact these kinds of persons to test their systems and softwares. They check how secure these systems are and point out any fault they found.These hackers, also known as ethical hackers, These are the persons or security experts who are specialize in penetration testing. These types of people are also known as tiger teams. These experts may use different types of methods and techniques to carry out their tests, including social engineering tactics, use of hacking tools, and attempts to bypass security to gain entry into protected areas, but they do this only to find weaknesses in the system8.1.5 Types of AttacksThere are many types of attacks that can be categorized under 2 major categoriesActive AttacksPassive Attacks1.5.1 Active AttacksActive attacks involve the attacker taking the offensive and directing malicious packets towards its victims in order to gain illegitimate access of the target machine such as by performing exhaustive user password combinations as in brute-force attacks. Or by exploiting remote local vulnerabilities in services and applications that are termed as holes. Other types of attacks includeMasquerading attack when attacker pretends to be a different entity. Attacker user fake Identity of some legitimate user.Replay attack In Replay attack, attacker captures data and retransmits it to produce an unauthorized effect. It is a kind of man in middle attack.Modification attack In this type of attack integrity of the message is com promise. Message or file is modified by the attacker to achieve his malicious goals.Denial of service (DOS)attack In DOS attack an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer.TCP ICMP scanning is also a form of active attacks in which the attackers exploit the way protocols are designed to respond. e.g. ping of death, sync attacks etc.In all types of active attacks the attacker creates noise over the network and transmits packets making it possible to detect and trace the attacker. Depending on the skill level, it has been observed that the skill full attackers usually attack their victims from proxy destinations that they have victimized earlier.1.5.2 Passive AttacksP assive attacks involve the attacker being able to intercept, collect monitor any transmission sent by their victims. Thus, eavesdropping on their victim and in the process being able to listen in to their victims or targets communications. Passive attacks are very specialized types of attacks which are aimed at obtaining information that is being transmitted over secure and insecure channels. Since the attacker does not create any noise or minimal noise on the network so it is very difficult to detect and identify them.Passive attacks can be divided into 2 main types, the release of message content and traffic analysis.Release of message content It involves protecting message content from getting in hands of unauthorized users during transmission. This can be as basic as a message delivered via a telephone conversation, instant messenger chat, email or a file.Traffic analysis It involves techniques used by attackers to retrieve the actual message from encrypted intercepted messages of their victims. Encryption provides a means to mask the contents of a message using mathematical formulas and thus make them unreadable. The original message can only be retrieved by a reverse process called decryption. This cryptographic system is often based on a key or a password as input from the user. With traffic analysis the attacker can passively observe patterns, trends, frequencies and lengths of messages to guess the key or retrieve the original message by various cryptanalysis systems.Chapter 2 Honeypot and Honeynet 2.1 HoneypotIs a system, or part of a system, deliberately made to invite an intruder or system cracker. Honeypots have additional functionality and intrusion detection systems built into them for the collection of valuable information on the intruders.The era of virtualization had its impact on security and honeypots, the community responded, marked by the fine efforts of Niels Provos (founder of honeyd) Thorsten Holz for their masterpiece book Virtual H oneypots From Botnet Tracking to Intrusion Detection in 2007.2.2 Types of HoneypotsHoneypots can be categorized into 2 main types based on Level of interaction Deployment.2.2.1 Level of interactionLevel of interaction determines the amount of functionality a honeypot provides.2.2.1.1 Low-interaction HoneypotLow-interaction honey pots are limited in the extent of their interaction with the attacker. They are generally emulator of the services and operating systems.2.2.1.2 High interaction HoneypotHigh-interaction honeypots are complex solution they involve with the deployment of real operating systems and applications. High interaction honeypots capture extensive amount of information by allowing attacker to interact with the real systems.2.2.2 DeploymentBased on deployment honeypot may be classified asProduction HoneypotsResearch Honeypots2.2.2.1 Production HoneypotsProduction honeypots are honeypots that are placed within the production networks for the purpose of detection. They e xtend the capabilities of the intrusion detection systems. These type of honeypots are developed and cond to integrate with the organizations infrastructure and scope. They are usually implemented as low-interaction honeypots but implementation may vary depending on the available funding and expertise required by the organization.Production honeypots can be placed within the application and authentication server subnets and can identify any attacks directed towards those subnets. Thus they can be used to identify both internal and external threats for an organization. These types of honeypots can also be used to detect malware propagation in the network caused by zero day exploits. Since IDSs detection is based on database signatures they fail to detect exploits that are not defined in their databases. This is where the honeypots out shine the Intrusion detection systems. They aid the system network administrators by providing network situational awareness. On basis of these result s administrators can take decisions necessary to add or enhance security resources of the organization e.g. firewall, IDS and IPS etc.2.2.2.1 Research HoneypotsResearch honeypots are deployed by network security researchers the whitehat hackers. Their primarily goal is to learn the tools, tactics techniques of the blackhat hackers by which they exploit computers network systems. These honeypots are deployed with the idea of allowing the attacker complete freedom and in the process learn his tactics from his movement within the system. Research honeypots help security researchers to isolate attacker tools they use to exploit systems. They are then carefully studied within a sand box environment to identify zero day exploits. Worms, Trojans and viruses propagating in the network can also be isolated and studied. The researchers then document their findings and share with system programmers, network and system administrators various system and anti-virus vendors. They provide the r aw material for the rule engines of IDS, IPS and firewall system.Research Honeypots act as early warning systems. They are designed to detect and log maximum information from attackers yet being stealthy enough not to let attackers identify them. The identity of the honeypot is crucial and we can conclude that the learning curve (from the attacker) is directly proportional to the stealthiest of thehoneypot .These types of honeypots are usually deployed at universities and by the RD departments of various organizations. These types of honeypots are usually deployed as High-Interaction honeypots.2.3 HoneynetThe concept of the honeypot is sometimes extended to a network of honeypots, known as a honeynet. In honeynet we grouped different types of honeypots with different operatrating systems which increases the probability of trapping an attacker. At the same time, a setting in which the attacker explores the honeynet through network connections between the various host systems provides additional prospects for monitoring the attack and revealing information about the intruder. The honeynet operator can also use the honeynet for training purposes, gaining valuable experience with attack strategies and digital forensics without endangering production systems.The Honeynet project is a non-profit research organization that provides tools for building and managing honeynets. The tools of the Honeynet project are designed for the latest generation of high interaction honeynets that require two separate networks. The honeypots reside on the first network, and the second network holds the tools for managing the honeynet. Between these tools (and facing the Internet) is a device known as the honeywall. The honeywall, which is actually a kind of gateway device, captures controls, and analyzes all inbound and outbound traffic to the honeypots4.It is a high-interaction honeypot designed to capture wide-range of information on threats. High-interaction means that a honeynet p rovides real systems, applications, and services for attackers to interact with, as opposed to low-interaction honeypots which provide emulated services and operating systems. It is through this extensive interaction we gain information on threats, both external and internal to an organization. What makes a honeynet different from most honeypots is that it is a network of real computers for attackers to interact with. These victim systems (honeypots within the honeynet) can be any type of system, service, or information you want to provide 14.2.4 Honeynet Data ManagementData management consist of three process Data control, data capture and data collection.2.4.1 Data ControlData control is the containment of activity within the honeynet. It determines the means through which the attackers activity can be restricted in a way to avoid damaging/abusing other systems/resources through the honeynet. This demands a great deal of planning as we require to give the attacker freedom in order to learn from his moves and at the same time not let our resources (honeypot+bandwidth) to be used to attack, damage and abuse other hosts on the same or different subnets. Careful measures are taken by the administrators of the honeynet to study and formulate a policy on attackers freedom versus containment and implement this in a way to achieve maximum data control and yet not be discovered or identified by the attacker as a honeypot. Security is a process and is implemented in layers, various mechanisms to achieve data control are available such as firewall, counting outbound connections, intrusion detection systems,intrusion prevention systems and bandwidth restriction etc. Depending on our requirements and risk thresholds defined we can implement data control mechanisms accordingly 4.2.4.2 Data CaptureData Capture involves the capturing, monitoring and logging of allthreats and attacker activities within the honeynet. Analysis of this captured data provides an insight on the t ools, tactics, techniques and motives of the attackers. The concept is to achieve maximum logging capability at all nodes and hence log any kind of attackers interaction without the attacker knowing it. This type of stealthy logging is achieved by setting up tools and mechanisms on the honeypots to log all system activity and have network logging capability at the honeywall. Every bit of information is crucial in studying the attacker whether its a TCP port scan, remote and local exploit attempt, brute force attack, attack tool download by the haacker, various local commands run, any type of communication carried out over encrypted and unencrypted channels (mostly IRC) and any outbound connection attempt made by the attacker 25. All of this should be logged successfully and sent over to a remote location to avoid any loss of data due to risk of system damage caused by attackers, such as data wipe out on disk etc. In order to avoid detection of this kind of activity from the attacker , data masking techniques such as encryption should be used.2.4.3 Data CollectionOnce data is captured, it is securely sent to a centralized data collection point. Data is used for analysis and archiving which is collected from different honeynet sensors. Implementations may vary depending on the requirements of the organization, however latest implementations incorporate data collection at the honeywall gateway 19.2.5 Honeynet ArchitecturesThere are three honeynet architectures namely Generation I, Generation II and Generation III2.5.1 Generation I ArchitectureGen I Honeynet was developed in 1999 by the Honeynet Project. Its purpose was to capture attackers activity and give them the feeling of a real network. The architecture is simple with a firewall aided by IDS at front and honeypots placed behind it. This makes it detectable by attacker 7.2.5.2 Generation II III ArchitectureGen II honeynets were first introduced in 2001 and Gen III honeynets was released in the end of 2004. G en II honeynets were made in order to address the issues of Gen I honeynets. Gen II and Gen III honeynets have the same architecture. The only difference being improvements in deployment and management, in Gen III honeynets along with the addition of Sebek server built in the honeywall. Sebek is a stealthy capture tool installed on honeypots that capture and log all requests sent to the system read and write system call. This is very helpful in providing an insight on the attacker 7.A radical change in architecture was brought about by the introduction of a single device that handles the data control and data capture mechanisms of the honeynet called the IDS Gateway or marketing-wise, the Honeywall. By making the architecture more stealthy, attackers are kept longer and thus more data is captured. There was also a major thrust in improving honeypot layer of data capture with the introduction of a new UNIX and Windows based data.2.6 Virtual HoneynetVirtualization is a technology that allows running multiple virtual machines on a single physical machine. Each virtual machine can be an independent Operating system installation. This is achieved by sharing the physical machines resources such as CPU, Memory, Storage and peripherals through specialized software across multiple environments. Thus multiple virtual Operating systems can run concurrently on a single physical machine 4.A virtual machine is specialized software that can run its own operating systems and applications as if it were a physical computer. It has its own CPU, RAM storage and peripherals managed by software that dynamically shares it with the physical hardware resources.VirtulizationA virtual Honeynet is a solution that facilitates one to run a honeynet on a single computer. We use the term virtual because all the different operating systems placed in the honeynet have the appearance to be running on their own, independent computer. Network to a machine on the Honeynet may indicate a compromise d enterprise system.CHAPTER 3Design and ImplementationComputer networks, connected to the Internet are vulnerable to a variety of exploits that can compromise their intended operations. Systems can be subject to Denial of Service Attacks, i-e preventing other computers to gain access for the desired service (e.g. web server) or prevent them from connecting to other computers on the Internet. They can also be subject to attacks that cause them to cease operations either temporarily or permanently. A hacker may be able to compromise a system and gain root access as if he is the system administrator. The number of exploits targeted against various platforms, operating systems, and applications increasing regularly. Most of vulnerabilities and attack methods are detected after the exploitations and cause big loses.Following are the main components of physical deployment of honeynet. First is the design of the Deployed Architecture. Then we installed SUN Virtual box as the Virtualization software. In this we virtually installed three Operating System two of them will work as honey pots and one Honeywall Roo 1.4 as Honeynet transparent Gateway. Snort and sebek are the part of honeywall roo operating system. Snort as IDS and Snort-Inline as IPS. Sebek as the Data Capture tool on the honeypot.The entire OS and honeywall functionality is installed on the system it formats all the previous data from the hard disk. The only purpose now of the CDROM is to install this functionality to the local hard drive. LiveCD could not be modified, so after installing it on the hard drive we can modify it according to our requirement. This approach help us to maintain the honeywall, allowing honeynet to use automated tools such asyumto keep packages current 31.In the following table there is a summry of products with features installed in honeynet and hardware requirements. Current versions of the installed products are also mention in the table.Table 3.1 Project SummaryProject Summar yFeatureProductSpecificationsHost Operating SystemWindows Server 2003 R2HW Vendor HP Compaq DC 7700ProcessorIntel(R) Pentium D CPU 3GHzRAM 2GBStorage 120GBNIC 1GB Ethernet controller (public IP )Guest Operating System 1Linux, Honeywall Roo 1.4Single Processor Virtual Machine( HONEYWALL )RAM 512 MBStorage 10 GBNIC 1 100Mbps Bridged interfaceNIC 2 100Mbps host-only interfaceNIC 3 100Mbps Bridged interface(public IP )Guest Operating System 2Linux, Ubuntu 8.04 LTS (Hardy Heron)Single Processor Virtual Machine( HONEYPOT )RAM 256 MBStorage 10 GBNIC 100Mbps host-only vmnet (public IP )Guest Operating System 3Windows Server 2003Single Processor Virtual Machine( HONEYPOT )RAM 256 MBStorage 10 GBNIC 100Mbps host-only vmnet (public IP )Virtualization softwareSUN Virtual BoxVersion 3ArchitectureGen IIIGen III implemented as a virtual honeynetHoneywallRooRoo 1.4IDSSnortSnort 2.6.xIPSSnort_inlineSnort_inline 2.6.1.5Data Capture Tool (on honeypots)SebekSebek 3.2.0Honeynet Project Online TenureNove mber 12, 2009 TO December 12, 20093.1 Deployed Architecture and Design3.2 Windows Server 2003 as Host OSUsability and performance of virtualization softwares are very good on windows server 2003. Windows Server 2003is aserveroperating system produced byMicrosoft. it is considered by Microsoft to be the cornerstone of itsWindows Server Systemline of business server products. Windows Server 2003 is more scalable and delivers better performance than its predecessor,Windows 2000.3.3 Ubuntu as HoneypotDetermined to use free and open source software for this project, Linux was the natural choice to fill as the Host Operating System for our projects server. Ubuntu 8.04 was used as a linux based honeypot for our implementation. The concept was to setup an up-to-date Ubuntu server, cond with commonly used services such as SSH, FTP, Apache, MySQL and PHP and study attacks directed towards them on the internet. Ubuntu being the most widely used Linux desktop can prove to be a good platform to study zero day exploits. It also becomes a candidate for malware collection and a source to learn hacker tools being used on the internet. Ubuntu was successfully deployed as a virtual machine and setup in our honeynet with a host-only virtual Ethernet connection. The honeypot was made sweeter i.e. an interesting target for the attacker by setting up all services with default settings, for example SSH allowed password based connectivity from any IP on default port 22, users created were given privileges to install and run applications, Apache index.html page was made remotely accessible with default errors and banners, MySQL default port 1434 was accessible and outbound connections were allowed but limited 3.Ubuntu is a computeroperating systembased on theDebianGNU/Linux distribution. It is named after theSouthern Africanethical ideology Ubuntu (humanity towards others)5and is distributed asfree and open source software. Ubuntu provides an up-to-date, stable operating system for the average user, with a strong focus onusabilityand ease of installation. Ubuntu focuses onusability andsecurity. The Ubiquity installer allows Ubuntu to be installed to the hard disk from within the Live CD environment, without the need for restarting the computer prior to installation. Ubuntu also emphasizesaccessibilityandinternationalization to reach as many people as possible 33.Ubuntu comes installed with a wide range of software that includes OpenOffice, Firefox,Empathy (Pidgin in versions before 9.10), Transmission, GIMP, and several lightweight games (such as Sudoku and chess). Ubuntu allows networking ports to be closed using its firewall, with customized port selectio
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment