honeywall cd-rom. 2 developers and speakers dave dittrich university of washington rob mcmillen...
Post on 22-Dec-2015
217 views
TRANSCRIPT
Honeywall CD-ROM
2
Developers and Speakers
Dave DittrichUniversity of Washington
Rob McMillen
USMC
Jeff NathanSygate
William SaluskyAOL
3
A case for Honeynets
Research of attack technologies and methodologies
Root-cause analysis of attack motives "Target of choice or target of chance?"
“Getting the problem statement right” Dr. Dan Geer, Journal of the Advanced Computing Systems Association (USENIX) - June 2003, Volume 28, number 3
Self defense Incident response and forensic analysis Deception and deterrence
4
Problem: Simplify Honeynet deployment
Current Honeynets deployments require considerable effort. Lack of standardized deployment platform. Lack of standardized configuration mechanism to
faciliate large-scale Honeynet deployment. How can Honeynet deployment (especially large-
scale deployments) be simplified? How can Generation II Honeynet technologies be
packaged into an easy to use system?
5
Solution: The Honeywall
A self-contained Honeynet data control and data management system
An easily configurable system Simplify deployment and management
Build a system using a bootable CD-ROM. Simplify configuration and management using plain text
files. Use commodity PC hardware to minimize costs. Offer routing and bridging functionality to ease network
integration. Minimize customization efforts with built-in
customization hooks.
6
Honeywall overview
Bootable Linux CD-ROM Utilizes existing Honeynet data control and data
capture technologies. iptables (custom Honeywall configuration via
rc.firewall) Snort-inline Snort
Menu-driven configuration interface for easy configuration.
Single configuration file for interactive or automated configuration.
7
Honeywall implementation
Bootable Linux system from ramdisk, logging to hard disk Boot image consists of Linux kernel Kernel image contains compressed initial ramdisk
image to bootstrap system Second stage boot process contains more
complete Linux system Generation II Honeynet gateway in a box
Data control system using iptables Operates as a routing or bridging device Makes a reasonable attempt to prevent stepping stones
8
Honeywall implementation (continued)
Complex attack detection/mitigation using Snort-inline Hooks into iptables using queues (libipqueue), performs
Gateway Intrusion Detection Detects low-level protocol attacks abuses Can modify outgoing attacks to prevent compromise of
third-party systems
Data capture facilities using Snort and Snort-inline Captures every packet traversing the Honeywall
9
Honeywall implementation (continued)
(Data capture..) Generates alerts for events matching
conditions within the Snort and Snort-inline Facilitates forensic analysis of network data to
identify new tools, techniques, trend and behavioral analysis of attack incidents
Leverages commodity PC hardware and a CD-ROM for minimal deployment effort
Extensible shell scripting architecture
10
Honeywall boot process
Honeywall initialization Extracts tar/gzip compressed archive of
supplemental commands Look for pre-configured Honeywall hard disk Perform final configuration of data control
components Execute custom.sh and other “hook” scripts
Start administration interface
11
Honeywall customization
Floppy disk configuration file Modify ISO w/custom script before burning
Just use custom.sh to set variables, start things Use custom.sh to communicate with central server Use SSH to set variables from central
management host Rip ISO apart, modify file system, then rebuild
Allows adding new programs, new services, new capabilities
Supports development independant of the Honeynet Project
12
Honeywall deployment
Requires a PC hardware with 3 network interfaces using IDE disks and 256MB RAM
Connected to an existing network of hosts by placing the Honeywall systems between possible attackers and the Honeynet systems
13
Honeynet deployment (continued)
14
Future work (a production system)
Integration of Honey Inspector UI Web interface to customize ISO Command shell for remote mangement Remote Honeywall Manager
15
Resources and questions
Email:
Watch the tools section on
http://project.honeynet.org
Questions?
16
Customization in more detail
How a CD-ROM is born Modification of ISO image De/reconstruction of ISO image