HONEYPOTS & KF SENSOR

AGENDA
• Introduction
• Honeypot Technology
• KFSensor
• Components of KFSensor
• Features
• Tests
• Conclusion
INTRODUCTION
• Increasing security threats with proliferation of internet
• Network security – Firewall, IDS, antivirus.
• Traditional approach – defensive
• Today – offensive approach
• Honeypot
 HONEYPOTS
Honeypot Technology
• “A honeypot is security resource whose value lies in being
probed, attacked, or compromised.” - Lance Spitzner

• A honeypot is a trap set to detect, deflect, or in some manner

counteract attempts at unauthorized use of information
systems

• They are the highly flexible security tool with different

applications for security. They don't fix a single problem.
Instead they have multiple uses, such as prevention, detection,
or information gathering

• A honeypot is an information system resource whose value

lies in unauthorized or illicit use of that resource
TYPES OF HONEYPOT
Interaction: level of activity Honeypot allows with attacker

Low Interaction
Emulated services, easy to deploy and maintain, less risk.
Designed to capture only known attack

High Interaction
Setup real services and provides interaction with OS
More information, no assumption made give full open environments.
Can use the real honeypot to attack others.
KFSENSOR
• Commercial low interaction honeypot solution
• Windows OS
• Preconfigured services: ssh, http, ftp etc
• Easy configuration and flexible
• Product detail:
• Software: KFSensor
• Version: 2.2.1
• License: Evaluation (14 days trial)
• Vendor: Key Focus
• Downloaded Site: http://www.keyfocus.net/kfsensor/
INSTALLATION STEPS
• Download the application from the website
• Initial wizard setup: Naming the domain, Email,
Alerts
• To install login as ADMINISTRATOR
• C:\kfsensor\logs – XML files
• Running the KFSensor server – as daemon –
windows service. [kfsnserve.exe]
• Open up the KFSensor monitor - GUI
COMPONENTS OF KF SENSOR

• KFSensor Server

Performs core functionality, outsider interact with

The server, doesn’t have the GUI.

• KFSensor Monitor

Interprets all the data and alerts captured by server

in graphical form.
FEATURES
• File Menu
• Export [HTML, XML, TSV or CSV ], Service
• View Menu
• Ports View, Visitors View
• Editing Scenarios
• Editing Listens, Edit Rules, Sim Server
EDITING SCENARIO
EDITING LISTENS
Listen On:
Name : Identifies the listen when connection is made to the particular
specification
Protocol: Choice between UDP or TCP
Port
Bind Address: Should specify the IP address it binds too.
Action:
Action Type: The action to performed once the connection is made by the
outsider
Severity: define the level of severity generated by the event to alert the admin.
Time out : value in second for server to wait until it closes the
connection
Sim Name: To specify the Sim Server.
EDIT RULE
SIM SERVER
Sim Banner
Sim Standard Server
DOS ATTACK CONFIGURATION

Other FEATURES
•Email Alerts
•Log Database
TEST 1: FTP EMULATION
TEST 2: SMTP
CONCLUSION
• Good user interface.
• Easy to configure emulation services
• Flexible
• Minimal risk
• Limited to only minimal transactions
• Honeypot
• Can not replace the existing system. Work better along with it.