; lec25 (PowerPoint download)
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

lec25 (PowerPoint download)

VIEWS: 4 PAGES: 23

  • pg 1
									CSCE 815 Network Security
         Lecture 25


              Data Control in HoneyNets
                        SSH




 April 22, 2003
Machines to Attack
129.252.140.3
129.252.140.7


NOT!!!
      129.252.140.1 - gateway




–2–                             CSCE 815 Sp 03
Honeynet Bridge



      129.252.140.3                        192.252.140.7

                      Eth1-NO IP
                                         Eth2- 129.252.xxx.yyy
                                                         Administrative
                                                         Interface
                                                         SSH Connections
                      Eth0-NO IP                         Trusted Hosts



                              Internet

–3–                                                        CSCE 815 Sp 03
Honeynet Communication Channel

                                  Eth1-Promiscuous Mode            Eth0-Promiscuous Mode
                                           Application                    Application     Src IP: 129.252.140.7
                                                                                          Dest IP: 208.122.101.1
                                                                                          TTL : 30
                                           Presentation                   Presentation    Src MAC:07 E2 G5 89 P1
                                                                                          Dest MAC:0H F5 7F 2L G

                                             Session                        Session
        Source IP: 129.252.140.7
        Destination IP: 208.122.101.1
        TTL : 30                            Transport                      Transport
        Source MAC :      07 E2 G5 89 P1
        Destination MAC:0H F5 7F 2L G2
                                             Network                        Network
      Hub
                                            Data Link                      Data Link
                                                          IP Forwarding
                                            Physical                       Physical




–4–                                                                                    CSCE 815 Sp 03
What is Data Control and Why?
Process used to control or contain traffic to a honeynet
Upstream liability – an attck from one of your
  honeypots
Snort-inline – South Florida Honeynet Project




–5–                                              CSCE 815 Sp 03
GEN II Data Control
Gen II :
         Incorporates a firewall and IDS in one system
         Provides more stealthy data control
         Can be implemented for layer 2 bridging or
         Layer 3 NAT translation
         Packets passed from internet to honeynet as layer 2
          (datalink) layer packets  no TTL decrement




–6–                                                             CSCE 815 Sp 03
IPTables for GEN II Honeynet
IPTables is a free, stateful, Open Source firewall for
   Linux 2.4.x and 2.5.x kernels
Each packet header is compared to a set of “chains”
Chains contain rules: ACCEPT, DROP, REJECT, Queue
Custom Chains
         tcpHandler
         udpHandler
         icmpHandler




–7–                                                CSCE 815 Sp 03
Example Rule
Shell Script
      $IPTABLES –A tcpHandler –j LOG –log-prefix “OUTBOUND”
      if test $QUEUE = “yes” then
      $IPTABLES –A tcpHandler –j QUEUE
      fi
      $IPTABLES –A tcpHandler –j ACCEPT


Environment variable “$QUEUE” controls action of the rule
Queueing
Connection limits


–8–                                                     CSCE 815 Sp 03
Snort-Inline
Snort: The Open Source Network Intrusion Detection
  System http://www.snort.org/
Snort-Inline: Snort + ability to retrieve packets from the
  Queue target
Gen I : Alert.sh operated at Layer 3 (IP layer) which
  made it visible by TTL decrement and routing
Gen II Data Control
      if attacker runs traceroute to view router hops then
      “I see nothing” Sargeant Schultz
      /sbin/traceroute 129.252.140.3

–9–                                                 CSCE 815 Sp 03
 Set Up
 lsmod
 modprobe ip_queue // to load the ip_queue module into
   kernel space
 lsmod
 modprobe -r ip_queue // to remove




– 10 –                                         CSCE 815 Sp 03
 Data Control: Snort-Inline and
 IPTables
  Modes of Operation
            Connection Limiting Mode: Count packets by protocol type
            Drop Mode: Libipq reads packets from kernel space.Packets
             are matched against snort signatures and dropped if there is
             a match
            Replace Mode: Packets are matched against snort
             signatures and if they match the harmful content of packet is
             scrubbed and returned to the attacker




– 11 –                                                           CSCE 815 Sp 03
 Connection Limiting Mode




                                 Hub
         Enemy   Data Control
                  Snort-Inline
                   IPTables


                  IPTables
                 Packet No =10




                   DROP




– 12 –                                 CSCE 815 Sp 03
 Snort-Inline Drop Mode




                                     Hub
         Enemy   Data Control
                  Snort-Inline
                   IPTables
                                  Drop


                  IP Tables
                                   Snort-Inline
                                 Snort Rules=Drop
                  Ip_queue



– 13 –                                              CSCE 815 Sp 03
 Snort-Inline Replace Mode




                                       Hub
         Enemy   Data Control
                  Snort-Inline
                   IPTables


                  IP Tables
                                     Snort-Inline      bin/sh->ben/sh
                                 Snort Rules=Replace
                  Ip_queue



– 14 –                                                 CSCE 815 Sp 03
 Supporting Tools for Gen II
 libipq – development library for iptables
            Netfilter provides a mechanism for passing packets out of
             the stack for queueing to userspace, then receiving these
             packets back into the kernel
            http://www.cs.princeton.edu/~nakao/libipq.htm
 Libpcap libpcap is a packet capture library used by
    most Open Source sniffers
 Bridge-Utils: Bridge-Utils is used to set up the Linux
    Ethernet bridge
 Latest Snort Rules
 rc.firewall script: everything you need to set up the
    GenII data control system
     http://project.honeynet.org/papers/honeynet/tools/rc.firewall

– 15 –                                                          CSCE 815 Sp 03
 Rc.firewall script
 This script uses IPTables to create a gateway that
   counts inbound # and outbound connections and
   blocks connections once a limit # has been met.
 Kernel must be compiled with Bridge support
 Modifications History
            21 Apr 2003: Added STOP_OUT option to allow user to block
             # all outbound connections. Think of this as the # honeynet
             safe mode.




– 16 –                                                         CSCE 815 Sp 03
 Protect the Administrator Interface
 Portsentry
            Detects SYN/Half Open, FIN, NULL scans
            Will block host in real time and report to the administrator




– 17 –                                                             CSCE 815 Sp 03
 Data Control: Tripwire
 Maintains integrity of data on the system
 Creates cryptographic checksums of files and
   directories
 Reports when changes are made to
            Access permissions, inode number, Userid, groupid, date
             and time, size

 http://www.tripwire.com/




– 18 –                                                        CSCE 815 Sp 03
 Data Capture Mechanisms
 Snort-Inline
 Comlog: Log commands executed by cmd.exe
   (Windows)
 Eventlog: forwards packets to syslog server(Windows)
 Sebek: (Linux)
            Keystroke logging
            Uses UDP connection
 USCSh – Unix keystroke logging 1984
 Windows Keystroke logging PhD dissertation 1990s



– 19 –                                         CSCE 815 Sp 03
 Data Collection
 Syslog:
            To deceive intruder maintain another Syslog.conf file in a
             different location
            Remote Syslog
               Stored data on remote machine




– 20 –                                                           CSCE 815 Sp 03
 Data Analysis
 Log Sentry:
         •   Audits logs and reports any violations

 The @stake Sleuth Kit:
         •   Analyses images generated by dd command
               Converts and copies a file
         •   Displays deleted files
         •   Creates timeline for file activity




– 21 –                                                 CSCE 815 Sp 03
 Risk Analysis
 Placed on the 129.252.140 Subnet
            Can be shut down in case of emergency

 Efficient Data Control Mechanisms
            Firewall (Connection Limiting Mode)
            Snort-Inline (Drop Mode)




– 22 –                                               CSCE 815 Sp 03
 References
 Librenix: http://librenix.comfirewalls
            types of firewalls
            configurations
            access contro

 Newsforge: http://newsforge.com/newsforge
 Deploying a GenII Honeynet: MS Thesis Harish
   Siripurapu
 http://www.honeynet.ie/main.htm
 GenII Data Control for Honeynets – Univ South Florida
 http://cert.uni-stuttgart.de/archive/honeypots/2003/02/msg00056.html



– 23 –                                                           CSCE 815 Sp 03

								
To top