KFSensor Honeypot and Intrusion Detection System Sunil Gurung [60-475] Security and Privacy on the Internet
Dec 29, 2015
KFSensorHoneypot and Intrusion Detection System
Sunil Gurung
[60-475] Security and Privacy on the Internet
Agenda
• Introduction
• Honeypot Technology
• KFSensor
• Components of KFSensor
• Features
• Tests
• Conclusion
Introduction
• Increasing security threats with proliferation of internet
• Network security – Firewall, IDS, antivirus.
• Traditional approach – defensive
• Today – offensive approach
• Honeypot
Honeypot Technology• “A honeypot is security resource whose value lies in
being probed, attacked, or compromised.” - Lance Spitzner
• we want attackers to probe and exploit the virtual system running emulated services.
• System no production value, no traffic, most connection probe, attack or compromised.
• Complements the traditional security tools.
Fig: The basic setup up of the honeypot system. In the figure two KFSensor are configured production honeypots.
Figure taken from “ User Manual of KFSensor – Help “
Advantages and Disadvantages
• Collects small set of data
• New techniques and tools (A)
• Minimal resources (A)
• Information (A)
• Simplicity (A)
• Limited View: Can’t capture attacks against other system (D)
• Risk : taken over by the bad guys (D)
Types of HoneypotInteraction: level of activity Honeypot allows with attacker
• Low InteractionEmulated services, easy to deploy and maintain, less risk.
Designed to capture only known attack
• High InteractionSetup real services and provides interaction with OS
More information, no assumption made give full open environments.
Can use the real honeypot to attack others.
KFSensor
• Commercial low interaction honeypot solution
• Windows OS
• Preconfigured services: ssh, http, ftp etc
• Easy configuration and flexible
Product detail:Software: KFSensor
Version: 2.2.1
License: Evaluation (14 days trial)
Vendor: Key Focus
Downloaded Site: http://www.keyfocus.net/kfsensor/
Installations• Download the application from the website• Initial wizard setup: Naming the domain, Email, Alerts• To install login as ADMINISTRATOR• C:\kfsensor\logs – XML files• Running the KFSensor server – as daemon – windows
service. [kfsnserve.exe]• Open up the KFSensor monitor - GUI
Components of KFSensor
KFSensor ServerPerforms core functionality, outsider interact with
The server, doesn’t have the GUI.
KFSensor MonitorInterprets all the data and alerts captured by server in
graphical form.
Features
• File Menu
Export [HTML, XML, TSV or CSV ], Service
• View Menu
Ports View, Visitors View
• Editing Scenarios
Editing Listens, Edit Rules, Sim Server
Editing Scenario
Editing ListensListen On:
Name : Identifies the listen when connection is made to the particular specificationProtocol: Choice between UDP or TCPPortBind Address: Should specify the IP address it binds too.
Action:Action Type: The action to performed once the connection is made by the outsiderSeverity: define the level of severity generated by the event to alert the admin.Time out : value in second for server to wait until it closes the
connectionSim Name: To specify the Sim Server.
Edit Rule
Sim Server• Sim Banner• Sim Standard Server
DOS attack configuration
Other FEATURES•Email Alerts•Log Database
Test Environment
• Inside the router• Outside of router1) University network [IP address: 137.207.238.113 – Sunil.uwindsor.ca]
2) Home network: putting the honeypot system inside the router [192.168.0.102]
3) Direct connection to internet through [24.57.84.215]
4) Tested on local machine [127.0.0.1]
Various test performed:
Test 1: FTP emulation
Test 2: SMTP
• Test 3: Other Test (Threats and Viruses)Sasser worm: TCP port 5554 Attacks from:1) IP 1: 218.253.9.215 – cm218-253-9-215.hkcable.com.hk2) Toronto-HSE ppp3864532.sympatico.ca
Test 3 -ContIIS, Dameware, MyDoom attacksIIS – Web Server, the KFSensor can emulate highly interactive service.Dameware – is a remote control application similar to VNC. Recently hackers use found its vulnerability in buffer overflow and have access to put their code.This threat uses port 6129.MyDoom – It’s a DDOS attack listen on port TCP 3127 and install a back door on the infected system.
Test 3 - ContLoveGate WormLoveGate worm infects the system through port 20168
Port Scanning
Conclusion
• Good user interface.
• Easy to configure emulation services
• Flexible
• Minimal risk
• Limited to only minimal transactions
Honeypot
Can not replace the existing system. Work better along with it.