Professional Documents
Culture Documents
Honey Nets
Honey Nets
Honey Nets
By Daniel Engel
Abstract
The intent of this paper is to discuss my research for my senior project. I will cover what a honeynet is, its advantages and disadvantages, and other areas of research significant to a honeynet. Unfamiliar terms will be placed in footnotes along with other terms and ideas that need clarification. The first part of this research paper will cover the background and basic information on honeynets while the second part will go into detail about honeynets and the successes and problems I had. Although a honeypot is a single computer on a honeynet, the terms honeynet and honeypot are sometimes used interchangeably in articles. I have done my best to differentiate the two terms in this paper.
Part I
Introduction to Project
One of my main interests in the field of information technology has become network security and for that reason I have chosen to focus my senior research on a related topic. Honeynets I felt were a great topic to study because they implement network security in many different ways. In the first part of the paper honeynets will be covered to give a basic understand of what constitutes a honeynet.
1 2 3
Honeynets have been around since about 1999 2000. Intent to do harm, referring to malicious software or malware . The arrangement or mapping of the elements (links, nodes, etc.) of a network. (Wikipedia)
network traffic according to predetermined rules set for what type of network traffic can come through and what cannot. Let s use IDS as an example. IDS systems are known to log gigabytes of information about network activity that can be nearly impossible to sift through and analyze. They also monitor system activity and can actually produce an audible alert when something out of the ordinary is occurring on the network. Although this sounds like a great thing it can actually be an irritant to network administrators and is usually not very effective. Sometimes these alarms are caused by what is called a False Positive. A false positive is when an alarm indicates that an attack is in progress when there in fact is really no such attack . (Whitman, 2005) These can be very frequent, so frequent in fact there are actually books written about how to reduce IDS false alarms. Because of the frequency of alarms it can cause desensitization to those that have to respond to these alarms, much like a car alarm going off and not paying attention to it because it is normal. False positives are native to many traditional security methods, not just IDS. The intent is not to imply that these traditional methods are ineffective and useless. On the contrary, they are very much needed to provide good network security. A properly configured IDS or network topology can go a long way to aid a honeynet. Honeynets just go one step further by allowing the identity of intruders to be revealed. Firewall and IDS and other traditional security technologies can detect, alert, and notify you of security breaches. But without the in-depth data received from honeynets, the who and why usually go unanswered without an in-depth forensics review" (Higgins, 2007).
What is a Honeynet?
A honeynet is a decoy network that has been created purposely to seem vulnerable to attacks in order to lure in attackers and gather specific information about them. Like bees to honey. Consider figure 1 on the next page. The computers labeled Honeypot are the individual computers that make
up the honeynet. While the actual network (computers labeled Production ) is secure and protected, the Honeynet is created to seem vulnerable and can sometimes appear to contain valuable data such as
Figure 1
credit card information. These networks are created to make the attacker think they are working with valid network systems. While attackers are busy doing their malicious activity on the decoy network, the honeywall gateway is busy collecting data on their every move. How this works is discussed in part two. The following is a quote about the purpose of honeynets taken from an article written by a group that heads The Honeynet Project4. The primary purpose of a honeynet is to gather information on threats. This information has different value to different organizations. For example, academic research institutions may use honeynets to gather data for research, such as worm activity. Security organizations may use honeynets to capture and analyze malware for anti-virus, IDS signatures or learn new ways to counter changing threats. Government organizations may use honeynets to learn more
A team of 30 network security experts that analyze honeynet data and research how malicious hackers act.
about who is targeting them or why. (Project, 2006) Recently with the release of the Conficker virus, a honeynet was used to contain the worm and study what it did to be able to defend against it. These are just a few examples of the potential that honeynets have and what they can be used for.
onslaught of attacks on the network hoping the network is secure. It also provides invaluable information on who is attacking these systems and why. Once again, the honeynet creates the offensive approach due to the ability to advance current security techniques and gain an advantage over hackers. Also, hackers realizing they have discovered a company or organization that uses a honeynet will be less likely to attack again because they can t be sure which network systems are being monitored and which are not.
Adaptability
I think the greatest thing about a honeynet is the adaptability of such a technology. No other technology is so mobile, adaptive and potentially free from cost. These advantages are good no matter if you are a large company carrying confidential information or just a small privately owned company. A
honeynet can be adapted based on individual needs. They can be created to appear to broadcast a social security number entered into a database or appear to be a whole network of computers. Another great advantage of this type of adaptability is the option of being able to create a honeynet with a single computer or laptop. The use of special software called VMware (Virtual Machine Software), or something similar, allows multiple operating systems to run on one computer which allows the option of creating more traps to collect specific data. This type of honeynet is called a virtual honeynet and can appear to be a whole network of computers. Also, because a laptop is easily moved, it is possible to configure a customized honeynet and use it on company X s network, then when your objective is complete with company X, the laptop can be plugged into company Y s network and begin to collect data. All it takes to switch is plugging the laptop into a new network. The ease of setup surpasses all other security options and there is no other security feature in use today with such mobility and ease of use.
Cost
Not only does the ease of adaptability appeal to many, so does the cost. High cost does not have to be an issue when deciding to set up a honeynet. If a small company is interested in using a honeynet but doesn t have a budget for it, an older single Pentium processor6 system would be able to handle a basic honeynet set up. Meaning, an older less complex computer can be used. This is what gives honeynets the ability to be used by so many different types of industries and budgets. If you are a large company looking to create a significant size honeynet, the cost could still be reasonable. This is because a whole network can be created on a single laptop to have multiple honeypots. Even a large honeynet
99 ranging from 60 to 300 MHz. Today s processors are in the 2 3 GHz range. About 10x faster.
can be created with a few laptops, and because there are many open-source7 operating systems, there is no need to have to pay for multiple operating systems either.
Part II
Hopefully at this point there is a good understanding of what a honeynet is and what it is meant to do. The next several pages will go into more detail about the parts of a honeynet and the different software that help the honeynet to function to accomplish its one purpose, understand the bad guys.
Types of Honeypots
There are three types of honeypots and/or honeynets, and each has its own strengths and weaknesses. There is the high interaction, low interaction and virtual honeypot. Each one will be explained in the following paragraphs.
Virtual Honeypot
A virtual honeynet uses virtualization software, such as VMware, to create a honeynet on a single computer. There are two types of virtual honeynets that I will briefly describe. One type is a selfcontained honeynet and the other is called a hybrid honeynet. A self-contained honeynet is what I attempted to create. This type of honeynet is all software, and virtual hardware contained on one system, such as a laptop. Self-contained honeynets are portable because they can be created on a single laptop and can be plugged into any network and up and running in a small amount of time. Also, they can be very cheap, or completely free in my case, to set up and deploy. Another great advantage is the ability that VMware has to immediately suspend a guest operating system. If, for example, an attacker is managing to find their way out of the honeypot we want to stop him without losing our collected data. Rather than losing that valuable data by shutting down the operating system quickly, the system can be suspended which allows the system to pick up from the last process it was executing when it was suspended. This will cut the attacker off and allow the collected data to remain safe. Some disadvantages of my self-contained honeynet are potentially big enough disadvantages to persuade many not to attempt this type of honeynet. The biggest disadvantage is system resources 10
available on a single laptop. To be able to run multiple operating systems, services, firewalls, virtualization software and other software requires a powerful system. During my experience, I was never able to run all five operating systems and my firewall at the same time without my computer slowing to a crawl. Many times I would only run about 3-4 at a time. I would be okay running multiple UNIX systems, but I could only run a single Windows system at a time. Another disadvantage is the potential for a single point of failure, or in other words, since the entire honeynet uses the same hardware and software, one failure anywhere in hardware or software could bring the entire honeynet down. Hybrid honeynets are the same as self-contained with one big difference. That difference is the firewall is a separate system outside all the virtualization software. This can help them be more secure since the firewall would not be affected by problems on the honeynet.
Low-Interaction Honeypot
Low interaction honeypots do just as they sound. They provide a low interaction environment that hackers can interact with. These low interaction honeypots emulate real time services and operating systems. Typically low interaction honeypots are just software installed on a computer that can be easily configured through a GUI. One such example is Honeyd. Honeyd allows the user to select what operating systems and services to emulate by simply clicking a button and the software does the rest. One advantage of Honeyd is that it has the capability of emulating hundreds of services and operating systems. It also allows easy configuration of IP addresses to monitor and will even emulate the IP stack level. The major drawback of low interaction honeypots or Honeyd is that the program just runs a script that expects specific input and gives a set output. Because the programs expects something specific, it if receives a command it has not been programmed to recognize, it will send back an error
11
message which is a red flag to the hacker indicating something is not right and potentially reveal they are in a honeypot environment.
High-Interaction Honeypot
This is the type of honeypot that I attempted to implement for my senior project. Much more difficult than any research led me to believe. High interaction honeypots are very different than low interaction honeypots because they provide entirely real operating system environments that hackers can interact with. There is no software or hardware emulation. They only provide real software and services for hackers to use at their will. This is important because it provides a greater ability to study a hacker in a real environment, without limitations on commands and software and they are free to act as they normally would. Due to the freedom to hack the system freely, it allows for much better data capture in research honeynets to monitor intruder root kits, keystrokes, commands, passwords and communications between other systems. The great thing about a high-interaction honeypot is that because real services and software are used, new, unexpected and unknown attacks can be captured. This type of freedom to hackers also introduces a great risk to honeypots and networks that contain them. If proper security is not put into place the attacker may have be able to break out of the honeypot and into the actual network. There is a commercial version of a honeypot called Symantec Decoy Server. Although I could not find it on Symantec s web site, the limited notes I found claimed that it does not emulate any OS or services and that it only works with Solaris. It apparently uses real time software and services but instead of having separate machines with this software, it creates four partitions called cages . These cages are actually honeypots that allow hackers to interact with them just as they would any other operating system.
12
Although there is not much information to be found on this commercial honeypot product, I wanted to bring attention to it. It seems this product was on the market in 2003, and then disappeared soon after that. This may indicate that at one point the idea of honeynets and honeypots as a network security feature for corporations may have begun to take off, and then quickly died out. In my personal opinion, I believe this has to do with the significant amount of overhead that can come from having a highly monitored high interaction honeynet. Plus there is the risk of hackers being able to break into the real network.
13
Steps to Bridging: 1.) Processing starts at layer 1 in the OSI model. NIC card receives a bit stream, when recognized as a packet, it is moved to layer 2 to process. 2.) Layer 2. Bridge searches for the proper MAC address in bridging networks memory. If found, the packet is moved to appropriate interface for transmission. If MAC address is not found then a broadcast is sent out to all interfaces except the one that originally sent packet. 3.) Layer 1. Sees the packet, recognizes the stream of bits and converts them to electrical signals. Bridging is transparent to IP processing (OSI layer 3 function). This is why honeywalls are undetectable. This is because the IP header in the packet is not processed and passes through the honeywall undetected. Every time a packet goes through an IP processing device the Time To Live (TTL)8 field of the IP header is reduced by one which makes it possible to know the number of devices between the source and destination. Absence of the IP stack and IP addresses of interfaces involved makes an attack very difficult.
TTL Specifies how long the datagram is allowed to live on the network, in terms of router hops. Each router decrements the value of the TTL field (reduces it by one) prior to transmitting it. If the TTL field drops to zero, the datagram is assumed to have taken too long a route and is discarded.
14
operating system. This also incorporates the idea that we need to give the hacker as much apparent freedom as possible without putting other systems as risk. Proper data control is done through filtering traffic with the firewall and closing down unnecessary services and ports among other methods. Data capture is where the fun happens. This is how it is possible to understand the tools, tactics and motives of hackers. One major tool used for data capture on my network is the keystroke logging software called Sebek. Sebek can log information about commands entered through SSH, which is a type of keystroke logging software. Making it known what commands and passwords are being entered and the order in which the commands were entered.
Honeywall Management
An additional interface on the honeywall for management purposes creates security between malicious honeynet activity and management activity. An IP address is given to this interface to allow remote access, monitoring, configuring and intervention if necessary. This also provides a huge benefit because immediate recovery of any data logging is available, even if the hacker is still on the system. The immediate recovery of data logging is how attackers can be watched .
15
1.) Connection Rate Limiting Mode This method uses the firewall located on the network to limit the number of outgoing connections from each honeypot. Because any honeynet activity is suspicious, large amounts of outgoing traffic can be a red flag that a system has been compromised. So limiting the outbound traffic can create security even within a honeypot. This is normally done by just limiting the number of outbound connections per hour. Also with limiting outbound connections on a honeypot, it will reduce the possibility of a compromised honeypot from being used for DoS9 attacks. Another effective method would be to limit outbound connections according to protocols such as TCP, UDP, ICMP and many others.
2.) Packet Drop Mode Three items in this section must be prefaced with a short definition to understand this section better. 1. Snort-Inline is a modified version of Snort, which is a type of IDS, it has a built in database of known attacks. 2. Intrusion Prevention System (IPS) is a network security device that monitors network and system activities for malicious or unwanted behavior and can react, in real time, to block or prevent those activities. (Wikipedia) 3. IPTables are a powerful Linux firewall tool that enables users to create a set of rules for packet selection and rejection.
Denial of Service involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. (Wikipedia)
16
The Packet Drop Mode method is based on Snort-Inline s10 capability to detect and deal with malicious packets that are leaving the honeynet and headed toward a victim. Snort-Inline will accept and reject malicious packets based on a previously set group of rules configured through IPTables. Malicious packets are dropped at the IPS (Intrusion Prevention System) that matches a pattern of known attacks. Packet Drop Mode is only as effective as the quantity and quality of rules. 3.) Packet Replace Mode This method also uses Snort-Inline but instead of dropping packets, it modifies them to not be harmful and forwards them on to their original destination. This type of data control is stealthier and hackers will only know that for some unknown reason, the attack failed. This may encourage the hacker to use alternative methods to attack which could lead to an increased amount of knowledge gained and more effective research.
17
honeynet with the ability to alert with every connection made to the honeywall. As stated before, every connection with a honeynet is considered malicious so false positives are greatly reduced. The great thing with logging all the connections is the ability to go back and review what connections where made to see if any trojans or backdoors were created. 2.) IDS IDS systems can be very useful for honeynets when implemented on a honeywall or honeypot and can also have some negative side effects as mentioned earlier in part one. The logic behind IDS is pretty simple to understand. The idea is to check all packets entering or exiting a monitored network against a database of known attacks. When a known or suspected attack is found, it alerts the administrator. Network traffic sniffing is required for proper IDS function to analyze and capture packets. The disadvantage of this is the amount of false positives11 and false negatives12 that are generated. This can make a proper diagnosis of the situation difficult. Although IDS tactics can be useful, they are not necessary since any traffic to and from a honeypot is considered malicious. The most popular IDS used in honeynets is Snort. 3.) Honeypot System Logging This is where the keystroke logging software, Sebek, comes into play because it is valuable data capture software installed on a honeypot and a server. Capturing data allows for reconstruction of an attack for further analysis and research. As mentioned before, capturing keystrokes and other types of logs is what a honeypot is all about. Keystroke logging like Sebek is effective because it captures the information at the kernel level where it is no longer encrypted. As the old saying goes, what goes up must come down so information that is encrypted must at some point be decrypted to be of any use (Corvovensis, 2006).
11 12
A false positive is when an alarm indicates that an attack is in progress when there in fact is really no such attack (Whitman, 2005) A false negative is the opposite of a false positive. False negatives are any alert that should have happened but didn't.
18
Sebek is a keystroke logger created specifically for honeynets and was actually created by the Honeynet Research Alliance. It is available for Solaris and Linux operating systems as well as Windows which comes with limited capabilities. Sebek is made up of two parts: the Sebek client and the server. The client is installed on a honeypot that needs to collect data, and the server is installed on the honeywall. The client package captures keystroke data and covertly sends it to the Sebek server. It is not noticeable since all data transfer is done at the kernel level. Once it reaches the honeywall it is safe and ready to be accessed. Data can be accessed from the Sebek server by sniffing the honeywalls interface or by using TCPDump13. For an example see the image below. The intruder at the red computer uses an SSH connection to access Honeypot A. The Sebek client software begins to send all activity about the intruder, unnoticed, to the Sebek server software located on the Honeywall Gateway.
Because the data captured is so valuable, it is important to keep it in a safe place out of the reach of the attackers. Keeping the data on a vulnerable honeypot has the potential to be erased by the attacker which is why it is important to have the logs saved directly to a disc or sent to the honeywall for safe storage.
A common packet sniffer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
13
19
Conclusion
Honeynets have great potential for gathering information about attacks, hackers and just overall network security. However after much searching and research, I have come to a personal conclusion that a large corporation would most likely not implement and use a honeynet as a security feature. I could not find any company that has ever used a honeynet. That is probably due to the fact that companies don t normally advertise their network security plans to the world. Leaving that aside, there are many risks, such as the risk for a hacker to break out of a honeynet and into the unprotected network. Also, there can be a lot of overhead and cost involved with honeynets if multiple systems and operating systems are involved. Non-virtual honeynets require lots of hardware, software and high-cost expertise to manage and control daily. It seems more logical and cost effect for companies to stick with their typical IDS, firewalls, traffic filtering and layers of security. Honeynets are great teaching tools for security and research, but I feel that is where their effectiveness ends, at least until the technology advances and better implementation practices are discovered.
20
Bibliography
Clark, M. (2007, November 7). Virtual Honeynets. Retrieved June 5, 2009, from SecurityFocus: http://www.securityfocus.com/ Corvovensis, Y. (2006). Snort-Inline and IPTables. In T. H. Team, Know Your Enemy (p. 106). Addison Wesely. Higgins, K. (2007, April 23). Dark Reading. Retrieved June 3, 2009, from Sweetening the Honeypot: http://www.darkreading.com/ Honeypot. (2009, June 9). Retrieved June 9, 2009, from Wikipedia: http://en.wikipedia.org/wiki/Honeypot_(computing) Intrusion Detection. (2007, May 26). Retrieved June 18, 2009, from Intrusion Detection, Honeypots, and Incident Handling Resources: http://www.honeypots.net/ Project, T. H. (2006, May 31). Honeynets. Retrieved June 1, 2009, from The Honeynet Project: http://old.honeynet.org/papers/honeynet/ Shinder, D. (2006, May 25). Virtual honynet: A Scalable Element of Your IDS Strategy . Retrieved June 5, 2009, from TechRepublic: http://articles.techrepublic.com.com Spitzner, L. (2004). Honeypots. In T. H. Project, Know Your Enemy: Learning About Security Threats (pp. 19-20). New York: Addison Wesley. Whitman, M. (2005). Principles of Information Security. Canada: Thomson Course Technology. Wikipedia. (2009, July 13). Denial of Service. Retrieved July 17, 2009, from Wikipedia.com: http://en.wikipedia.org/wiki/Denial_of_service
21
Notes
22