KFSensor Honeypot and Intrusion Detection System Sunil Gurung [60-475] Security and Privacy on the Internet.

KFSensorHoneypot and Intrusion Detection System

Sunil Gurung

[60-475] Security and Privacy on the Internet

Agenda

• Introduction

• Honeypot Technology

• KFSensor

• Components of KFSensor

• Features

• Tests

• Conclusion

Introduction

• Increasing security threats with proliferation of internet

• Network security – Firewall, IDS, antivirus.

• Traditional approach – defensive

• Today – offensive approach

• Honeypot

Honeypot Technology• “A honeypot is security resource whose value lies in

being probed, attacked, or compromised.” - Lance Spitzner

• we want attackers to probe and exploit the virtual system running emulated services.

• System no production value, no traffic, most connection probe, attack or compromised.

• Complements the traditional security tools.

Fig: The basic setup up of the honeypot system. In the figure two KFSensor are configured production honeypots.

Figure taken from “ User Manual of KFSensor – Help “

Advantages and Disadvantages

• Collects small set of data

• New techniques and tools (A)

• Minimal resources (A)

• Information (A)

• Simplicity (A)

• Limited View: Can’t capture attacks against other system (D)

• Risk : taken over by the bad guys (D)

Types of HoneypotInteraction: level of activity Honeypot allows with attacker

• Low InteractionEmulated services, easy to deploy and maintain, less risk.

Designed to capture only known attack

• High InteractionSetup real services and provides interaction with OS

More information, no assumption made give full open environments.

Can use the real honeypot to attack others.

KFSensor

• Commercial low interaction honeypot solution

• Windows OS

• Preconfigured services: ssh, http, ftp etc

• Easy configuration and flexible

Product detail:Software: KFSensor

Version: 2.2.1

License: Evaluation (14 days trial)

Vendor: Key Focus

Downloaded Site: http://www.keyfocus.net/kfsensor/

Installations• Download the application from the website• Initial wizard setup: Naming the domain, Email, Alerts• To install login as ADMINISTRATOR• C:\kfsensor\logs – XML files• Running the KFSensor server – as daemon – windows

service. [kfsnserve.exe]• Open up the KFSensor monitor - GUI

Components of KFSensor

KFSensor ServerPerforms core functionality, outsider interact with

The server, doesn’t have the GUI.

KFSensor MonitorInterprets all the data and alerts captured by server in

graphical form.

Features

• File Menu

Export [HTML, XML, TSV or CSV ], Service

• View Menu

Ports View, Visitors View

• Editing Scenarios

Editing Listens, Edit Rules, Sim Server

Editing Scenario

Editing ListensListen On:

Name : Identifies the listen when connection is made to the particular specificationProtocol: Choice between UDP or TCPPortBind Address: Should specify the IP address it binds too.

Action:Action Type: The action to performed once the connection is made by the outsiderSeverity: define the level of severity generated by the event to alert the admin.Time out : value in second for server to wait until it closes the

connectionSim Name: To specify the Sim Server.

Edit Rule

Sim Server• Sim Banner• Sim Standard Server

DOS attack configuration

Other FEATURES•Email Alerts•Log Database

Test Environment

• Inside the router• Outside of router1) University network [IP address: 137.207.238.113 – Sunil.uwindsor.ca]

2) Home network: putting the honeypot system inside the router [192.168.0.102]

3) Direct connection to internet through [24.57.84.215]

4) Tested on local machine [127.0.0.1]

Various test performed:

Test 1: FTP emulation

Test 2: SMTP

• Test 3: Other Test (Threats and Viruses)Sasser worm: TCP port 5554 Attacks from:1) IP 1: 218.253.9.215 – cm218-253-9-215.hkcable.com.hk2) Toronto-HSE ppp3864532.sympatico.ca

Test 3 -ContIIS, Dameware, MyDoom attacksIIS – Web Server, the KFSensor can emulate highly interactive service.Dameware – is a remote control application similar to VNC. Recently hackers use found its vulnerability in buffer overflow and have access to put their code.This threat uses port 6129.MyDoom – It’s a DDOS attack listen on port TCP 3127 and install a back door on the infected system.

Test 3 - ContLoveGate WormLoveGate worm infects the system through port 20168

Port Scanning

Conclusion

• Good user interface.

• Easy to configure emulation services

• Flexible

• Minimal risk

• Limited to only minimal transactions

Honeypot

Can not replace the existing system. Work better along with it.