Encryption and network security Essay

Honeynets: Observing Hackers’ Tools, Tactics and Motives in a Controlled Environment Solutions to hacker attacks are usually fixes that are developed when damage has been done. Honeynets were solely developed to catch and monitor threats (i. e. a probe, scan or attack). They are designed to gather extensive data about the threats. These data are then interpreted and used for the development of new tools to prevent actual damages to computer systems. Talabis defines a honeynet as a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discretely regulated. Seen below is a diagram of a typical honeynet setup as given by Krasser, Grizzard, Owen and Levine. Figure 1 A typical honeynet setup Deployment of honeynets may vary as it is an architecture. The key element of any honeynet is the honeywall. This is the command and control gateway through which all activities come and go. This separates the actual systems from the honeypot systems wherein threats are directed to intentionally. Two more elements are essential in any honeynet. These are discussed below. Data Control Data control is necessary to lessen the risks posed by the captured threats without compromising the amount of data you are able to gather. To do this, connection counting and Network Intrusion Prevention System (NIPS) are used. These are both automated data control. Connection counting limits outbound activity wherein connections beyond the limit are blocked. NIPS blocks or disables known threats before it can attack outbound. The Honeynet Project Research Alliance has defined a set of requirements and standards for the deployment of Data Control. First is the use of both manual and automated data controls. Second, there must be at least two layers of data control to protect against failure. Third, in case of failures, no one should be able to connect to the honeynet. Fourth, the state of inbound and outbound connections must be logged. Fifth, remote administration of honeynets should be possible. Sixth, it should be very difficult for hackers to detect data control. And finally, automatic alerts should be raised when a honeynet is compromised. Data Capture The Honeynet Project identifies three critical layers of Data Capture. These are firewall logs, network traffic and system activity. The data collection capabilities of the honeynet should be able to capture all activities from all three layers. This will allow for the production of a more useful analysis report. Firewall logs are created by NIPS. The Snort process logs network traffic. Snort is a tool used to capture packets of inbound and outbound honeynet traffic. The third is capturing keystrokes and encryption. Sebek is a tool used to bypass encrypted packets. Collected data is hiddenly transmitted by Sebek to the honeywall without the hacker being able to sniff these packets. Risks As with any tool, honeynets are also threatened by risks affecting its usage and effectiveness. These include the risk of a hacker using the honeynet to attack a non-honeynet system; the risk of detection wherein the honeynet is identified by the hacker and false data is then sent to the honeynet producing misleading reports; and the risk of violation wherein a hacker introduces illegal activity into your honeynet without your knowledge. Alerting As mentioned in the requirements and standards set for data control, alerts should be in place once an attack is done to your honeynet. Otherwise, the honeynet is useless. An administrator can monitor the honeynet 24/7 or you can have automated alerts. Swatch is a tool that can be used for this. Log files are monitored for patterns and when found, an alert is issued via email or phone calls. Commands and programs can also be triggered to run. Honeynet Tools Several honeynet tools are available to the public for free so they can setup their own honeynet for research purposes. These tools are used in the different elements of a honeynet. Discussed below are just three of them. Honeynet Security Console This is a tool used to view events on the honeynet. These events may be from SNORTÂ ®, TCPDump, Firewall, Syslog and Sebek logs. Given these events, you will be able to come up with an analysis report by correlating the events that you have captured from each of the data types. The tool’s website lists its key features as follows: quick and easy setup, a user-friendly GUI for viewing event logs, the use of powerful, interactive graphs with drilldown capabilities, the use of simple search/correlation capabilities, integrated IP tools, TCPDump payload and session decoder, and a built in passive OS fingerprinting and geographical location capabilities. Honeywall CDRom Roo This is the recommended tool for use by the Honeynet Project. This is a bootable CDRom containing all of the tools and functionality necessary to quickly create, easily maintain, and effectively analyze a third generation honeynet. Much like the Honeynet Security Console, this tool capitalizes on its data analysis capability which is the primary purpose of why honeynets are deployed – to be able to analyze hacker activity data. GUI is used to maintain the honeywall and to track and analyze honeypot activities. It displays an overview of all inbound and outbound traffic. Network connections in pcap format can be extracted. Ethereal, another tool, can then be used with the extracted data for a more in-depth analysis. Sebek data can also be analyzed by this tool. Walleye, another tool, is used for drawing visual graphs of processes. Although this tool may be useful already, several improvements will still have to be introduced to increase its effectiveness. Walleye currently supports only one honeynet. Multiple honeynets can be deployed but remote administration of these distributed systems still needs to be worked on. Sebek This is a tool used for data capture within the kernel. This is done by intercepting the read() system call. This hiddenly captures encrypted packets from inbound and outbound activities by hackers on the honeypot. Basically, Sebek will tell us when the hacker attacked the honeypot, how he attacked it and why by logging his activities. It consists of two components. First, a client that runs on the honeypot. Its purpose is to capture keystrokes, file uploads and passwords. After capturing, it then sends the data to the server, the second component. The server normally runs on the honeywall where all captured data from the honeypot are stored. Found below is the Sebek architecture. Figure 2 Sebek Architecture A web interface is also available to be able to analyze data contained in the Sebek database. Three features are available: the keystroke summary view; the search view; and the table view which provides a summary of all activities including non-keystroke activities. References Honeynet Security Console. Retrieved October 8, 2007 from http://www. activeworx. org/onlinehelp/hsc/hsc. htm. Krasser, S. , Grizzard, J. , Owen, H., Levine, J. (2005). The use of honeynets to increase computer network security and user awareness. Journal of Security Education, 1, 23-37. Piazza, P. (2001, November). Honeynet Attracts Hacker Attention: The Honeynet Project Set Up a Typical Computer Network and Then Watched to See What Turned Up. Security Management, 45, 34. SebekTM FAQ. Retrieved October 8, 2007 from http://www. honeynet. org/tools/sebek/faq. html. The Honeynet Project. (2005, May 12). Know Your Enemy: Honeynets. What a honeynet is, its value, and risk/issues involved. Retrieved October 8, 2007 from http://www.honeynet. org. Talabis, R. The Philippine Honeynet Project. A Primer on Honeynet Data Control Requirements. Retrieved October 8, 2007 from http://www. philippinehoneynet. org/index. php? option=com_docman&task=cat_view&gid=18&Itemid=29. Talabis, R. A Primer on Honeynet Data Collection Requirements and Standards. Retrieved October 8, 2007 from http://www. philippinehoneynet. org/index. php? option=com_docman&task=cat_view&gid=18&Itemid=29. Talabis, R. Honeynets: A Honeynet Definition. Retrieved October 8, 2007 from http://www. philippinehoneynet. org/index. php?option=com_docman&task=cat_view&gid=18&Itemid=29. Talabis, R. The Gen II and Gen III Honeynet Architecture. Retrieved October 8, 2007 from http://www. philippinehoneynet. org/index. php? option=com_docman&task=cat_view&gid=18&Itemid=29. The Honeynet Project. (2005, May 12). Know Your Enemy: GenII Honeynets. Easier to deploy, harder to detect, safer to maintain. Retrieved October 8, 2007 from http://www. honeynet. org. The Honeynet Project and Research Alliance. (2005, August 17). Know Your Enemy: Honeywall CDRom Roo. 3rd Generation Technology. Retrieved October 8, 2007 from http://www. honeynet. org.