enhancing network intrusion detection system with honeypot
TRANSCRIPT
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
1
Presented By :
Rakesh khatai IT200118029
Under the guidance of :
Mr. PRADEEP KUMAR JENA
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
Technical Seminar Presentation On
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
2
INTRODUCTION
A honeypot is a resource which help directly in increasing a computer network’s security
Intrusion Detection System (IDS) plays an important part in nearly every honeypot
Types :
Production honeypots and Research honeypots
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
3
LEVEL OF INVOLVEMENT
Low-involvement A low-involvement honeypot typically only provides
certain fake services. On a low-involvement honeypot there is no real operating system that an attacker can operate on
High-involvement A high-involvement honeypot has a real underlying
operating system. This leads to a much higher risk as the complexity increases rapidly
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
4
HONEYNET
Honeynets are made to make honeypots more productive
Components:
Firewall computer Intrusion detection computer Remote syslog computer Honeypot
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
5
Internet InternetInternet
Honeypot
Honeypot One
Honeypot Two
Honeypot Three
Firewall orBridge
VirtualHoneypot One
VirtualHoneypot Two
Firewall orBridge
VirtualHoneynet
VirtualHoneypot Three
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
6
AVAILABLE HONEYPOTS
Mantrap Deception Toolkit Specter BackOfficer Friendly Home grown honeypots
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
7
INTRUSION DETECTION SYSYTEM
Network based intrusion detection Host based intrusion detection Signature based intrusion detection Anomalies based intrusion detection
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
8
Snort is a freely available intrusion detection system
Snort
Sniffer Mode
Logger Mode
Intrusion Detection Mode
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
9
SIGNATURES
Snort configuration file
SNORTSENSOR
Text file
Syslog
Database
TCP Dump
Snort Log
Database
LOGALERTS
Fig: Snort Overview
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
10
Honeypot
Gateway(Snort + Redirection
Module)
RemoteLog
Server
Production Host
HostileHost
InternalNetwork
172.16.0.25
172.16.0.25172.16.0.4Eth1- 172.16.0.1
Eth0- 10.11.1.1
Eth2- 172.16.0.2
Fig :network configuration of the honeypot and the production hosts
ExternalNetwork
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
11
CONCLUSION
A honeypot is a valuable resource, especially to collect information about proceedings of attackers as well as their deployed tools
Honeypots cannot be considered as a standard product with a fixed place in every security aware environment
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
12
REFERENCES
[1] Marty Roesch and David Dittrich, Snort, An open source intrusion detection system, http://www.snort.org
[2] The World of Honeypots, Rick Johnson, IT world, November 2001
[3] Mark Cooper, member of Distributed Honeynet Project, Baby Steps with a Honeypot, http://www.lucidic.net/whitepapers/mcooper-4-2002.html
[4]The Honeypot Project http://www.project.honeypot.org
T
ech
nic
al Sem
inar
2004
RAKESH KHATAI IT200118029
ENHANCING NETWORK INTRUSION DETECTION SYSTEM WITH HONEYPOT
13
Thank You…