Tuesday, May 21, 2019

Encryption and network security Essay

Honeynets Observing Hackers Tools, Tactics and Motives in a Controlled Environment Solutions to taxi attacks ar usually fixes that are developed when toll has been done. Honeynets were solely developed to catch and monitor threats (i. e. a probe, s endure or attack). They are designed to gather extensive selective information about the threats. These data are then interpreted and employ for the development of new tools to prevent actual damages to computer systems.Talabis defines a honeynet as a network of high fundamental interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discretely regulated. Seen below is a diagram of a natural honeynet setup as given by Krasser, Grizzard, Owen and Levine. Figure 1 A typical honeynet setup Deployment of honeynets may vary as it is an architecture. The key element of both honeynet is the honeywall. This is the command and statement gateway through which all activities come and go. This separates the actual systems from the honeypot systems wherein threats are directed to intentionally.Two more elements are essential in any honeynet. These are discussed below. Data Control Data control is necessary to lessen the risks posed by the produced threats without compromising the amount of data you are fitting to gather. To do this, connection counting and Network Intrusion Prevention System (NIPS) are used. These are both automated data control. Connection counting limits outgoing activity wherein connections beyond the limit are blocked. NIPS blocks or disables kn take aim threats before it can attack outbound. The Honeynet Project research Alliance has defined a set of requirements and standards for the deployment of Data Control.First is the use of both manual and automated data controls. Second, there must be at least two layers of data control to protect against failure. Third, in case of failures, no one should be able to connect t o the honeynet. Fourth, the state of inbound and outbound connections must be logged. Fifth, remote institution of honeynets should be possible. Sixth, it should be very difficult for political hacks to detect data control. And finally, automatic freshs should be raised when a honeynet is compromised. Data Capture The Honeynet Project identifies three faultfinding layers of Data Capture.These are firewall logs, network traffic and system activity. The data collection capabilities of the honeynet should be able to capture all activities from all three layers. This will dispense with for the production of a more useful analysis report. Firewall logs are created by NIPS. The Snort process logs network traffic. Snort is a tool used to capture packets of inbound and outbound honeynet traffic. The third is capturing keystrokes and encryption. Sebek is a tool used to bypass encrypted packets. Collected data is hiddenly transmitted by Sebek to the honeywall without the hacker being abl e to smell these packets.Risks As with any tool, honeynets are also threatened by risks affecting its usage and effectiveness. These include the risk of a hacker using the honeynet to attack a non-honeynet system the risk of detection wherein the honeynet is identified by the hacker and false data is then sent to the honeynet producing misleading reports and the risk of violation wherein a hacker introduces illegal activity into your honeynet without your knowledge. Alerting As mentioned in the requirements and standards set for data control, alerts should be in place once an attack is done to your honeynet.Otherwise, the honeynet is useless. An administrator can monitor the honeynet 24/7 or you can have automated alerts. Swatch is a tool that can be used for this. Log files are monitored for patterns and when found, an alert is issued via email or phone calls. Commands and programs can also be triggered to run. Honeynet Tools Several honeynet tools are ready(prenominal) to the pu blic for free so they can setup their own honeynet for research purposes. These tools are used in the different elements of a honeynet. Discussed below are just three of them. Honeynet Security Console This is a tool used to view events on the honeynet.These events may be from SNORT, TCPDump, Firewall, Syslog and Sebek logs. Given these events, you will be able to come up with an analysis report by correlating the events that you have captured from each of the data types. The tools website lists its key features as follows quick and easy setup, a user-friendly GUI for viewing event logs, the use of powerful, synergetic graphs with drilldown capabilities, the use of simple search/correlation capabilities, integrated IP tools, TCPDump payload and session decoder, and a built in passive OS fingerprinting and geographical location capabilities.Honeywall CDRom Roo This is the recommended tool for use by the Honeynet Project. This is a bootable CDRom containing all of the tools and func tionality necessary to quickly create, easily maintain, and effectively analyze a third generation honeynet. a great deal like the Honeynet Security Console, this tool capitalizes on its data analysis capability which is the primary purpose of why honeynets are deployed to be able to analyze hacker activity data. GUI is used to maintain the honeywall and to track and analyze honeypot activities. It displays an overview of all inbound and outbound traffic.Network connections in pcap format can be extracted. Ethereal, another(prenominal) tool, can then be used with the extracted data for a more in-depth analysis. Sebek data can also be analyzed by this tool. Walleye, another tool, is used for drawing visual graphs of processes. Although this tool may be useful already, several improvements will still have to be introduced to increase its effectiveness. Walleye presently supports only one honeynet. Multiple honeynets can be deployed but remote administration of these distributed sys tems still needs to be worked on.Sebek This is a tool used for data capture within the kernel. This is done by intercepting the read() system call. This hiddenly captures encrypted packets from inbound and outbound activities by hackers on the honeypot. Basically, Sebek will tell us when the hacker attacked the honeypot, how he attacked it and why by logging his activities. It consists of two components. First, a client that runs on the honeypot. Its purpose is to capture keystrokes, file uploads and passwords. After capturing, it then sends the data to the server, the second component.The server usually runs on the honeywall where all captured data from the honeypot are stored. Found below is the Sebek architecture. Figure 2 Sebek Architecture A web interface is also available to be able to analyze data contained in the Sebek database. Three features are available the keystroke summary view the search view and the table view which provides a summary of all activities including non -keystroke activities.References Honeynet Security Console. Retrieved October 8, 2007 from http//www. activeworx. org/onlinehelp/hsc/hsc. htm. Krasser, S. , Grizzard, J. , Owen, H., Levine, J. (2005). The use of honeynets to increase computer network security and user awareness. Journal of Security Education, 1, 23-37. Piazza, P. (2001, November). Honeynet Attracts Hacker Attention The Honeynet Project label Up a Typical Computer Network and Then Watched to See What Turned Up.Security Management, 45, 34. SebekTM FAQ. Retrieved October 8, 2007 from http//www. honeynet. org/tools/sebek/faq. html. The Honeynet Project. (2005, May 12). Know Your Enemy Honeynets. What a honeynet is, its value, and risk/issues involved. Retrieved October 8, 2007 from http//www.honeynet. org. Talabis, R. The Philippine Honeynet Project.A Primer on Honeynet Data Control Requirements. Retrieved October 8, 2007 from http//www. philippinehoneynet. org/index. php? option=com_docman& job=cat_view&gid=18&Itemid =29. Talabis, R. A Primer on Honeynet Data Collection Requirements and Standards. Retrieved October 8, 2007 from http//www. philippinehoneynet. org/index. php? option=com_docman&task=cat_view&gid=18&Itemid=29.Talabis, R. Honeynets A Honeynet Definition. Retrieved October 8, 2007 from http//www. philippinehoneynet. org/index. php?option=com_docman&task=cat_view&gid=18&Itemid=29. Talabis, R. The Gen II and Gen III Honeynet Architecture. Retrieved October 8, 2007 from http//www. philippinehoneynet. org/index. php? option=com_docman&task=cat_view&gid=18&Itemid=29. The Honeynet Project. (2005, May 12).Know Your Enemy GenII Honeynets. Easier to deploy, harder to detect, safer to maintain. Retrieved October 8, 2007 from http//www. honeynet. org. The Honeynet Project and Research Alliance. (2005, August 17). Know Your Enemy Honeywall CDRom Roo. 3rd Generation Technology. Retrieved October 8, 2007 from http//www. honeynet. org.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.