Network Security Administrator Module IX: Bastion Host and Honeypots
Nov 30, 2015
Network Security Administrator
Module IX:
Bastion Host and Honeypots
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objectives
Introduction to Bastion host
Principles of Bastion hosts
Requirements to set up Bastion host
History of Honeypots
Introduction to Honeypots
Classification of Honeypots by interaction
Introduction and Types of Homemade Honeypots
High-interaction Commercial Honeypot: Mantrap
High-interaction Productive Honeypot: Honeynet
Deployment of Honeynet
Legal issues related to Honeypots
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Bastion host
Principles of Bastion hosts Mantrap
Honeypots Deployment of Honeypot
HoneynetRequirements to set up
Bastion host
Homemade Honeypots
Legal issues related to Honeypots
Classification of Honeypots
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Bastion Host - Introduction
Acts as a gateway between organizational intranet and outside network
Has an interface on the Internet deliberately exposing it for attacks and probing
Designed and configured to provide a limited range of services to attain security
Used for:
• Packet filtering
• Proxy services
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Kinds of Bastion Hosts
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Need for a Bastion Host
Minimize the chances of penetration by intruders and attackers
Avoids vulnerability to the transfer of customer data through public FTP servers
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Basic Principles for Building a Bastion Host
Provide minimum services with least rights
Prepared to compromise with situation
Locate Bastion host between internal servers and outside network
Administrators should be alerted for attacker’s attempt
On failure of Bastion hosts, internal servers must verify services provided by bastion host
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
General Requirements to Setup a Bastion Host
General requirements
• Unwanted services must be removed
• Security audit is run to establish a baseline
• Connected to the network
• Uninterrupted power supply
• Appropriate configuration of system and peripherals available
• Sufficient amount of memory and disk space
• Removable boot disk for maintenance
Hardware requirements
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
UNIX• Advantages:
– Provides variety of tools to create bastion hosts
– Popular in Internet services and provides software for audit and development
• Disadvantages:– Highly time consuming
– Frequent updating is required
Windows
Selecting the OS for the Bastion Host
Windows• Advantages:
– Consistent and widely used as servers
• Disadvantage:– Complex to implement
bastion host
Bastion host supports various operating systems
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Positioning the Bastion host
Bastion hosts acts as a check-in gate for outsiders
The major considerations for positioning are:
• Physical location –Appropriate
environmental controls with required physical security
–Must be set up in a locked server cabinet with proper ventilation, cooling and backup power
• Network location–Set on a special network also
known as Demilitarized zone that does not carrying sensitive data
–Avoid to put bastion host on internal networks
–Locate the bastion host on an additional layer known as perimeter network
–Attach packet filtering router
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
History of Honeypots
1990/1991:• A book named “The Cuckoo’s Egg” by Clifford Stoll
and in “An evening with Berferd” by Bill Cheswick highlighted the concept
1997:• The first version of the Honeypot solution was
released in the deception toolkit by Fred Cohen1998:
• CyberCop Sting became the first commercial honeypot developed by Alfred Huger
2000/2001:• Honeypots were used to capture and study worm
activity study2002:
• Honeypots were used to detect new and unknown attacks like that of Solaris dtspcd
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Introduction to Honeypots
Deception Tool Kit (DTK) is the first honeypot solution built by Fred Cohen
According to Lance Spitzner, “A honeypot is security resource whose value lies in being compromised.”
Not restricted to a single goal
• Functionality includes security mechanisms such as IDS, Antivirus
Prevents, detects, responds to attacks depending on interaction level
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Advantages and Disadvantages of a Honeypots
• Collects less amount of data but of high value
• Reduces false positives• Catches new attacks, reduces false
negatives• Simple concept requiring minimal
resources
• Limited field of view (microscope)
• Fingerprinting
• Risk (mainly high-interaction honeypots)
Disadvantages:
Advantages:
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
How to Select a Honeypots?
Interaction Level• Risk factor increases with interaction level increase
Commercial Vs Homemade• Commercial honeypots provide efficient functionality
• Homemade honeypots provide customized solution
Platform• Determines the performance and effectiveness of the honeypot
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Production Honeypots
Used to maintain the security of the system
To maintain the security, it is categorized into three:
• Prevention
• Detection
• Response
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Research Honeypots
Value is in providing attack information
Advantages of Research Honeypot:
• Captures automated attacks from worms and auto-rooters
• Alerts potential threats
• Captures and detects unknown tools and techniques
• Provides information of tools used, attack methods, and motives of the attacker
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Classification by Interaction
Level of interaction helps in:• Calculating and measuring the extent of threat• Gathering the information about the threat
Honeypots are classified into three based on interaction
Low-Interaction HoneypotsLow-Interaction Honeypots
Medium-Interaction HoneypotsMedium-Interaction Honeypots
High-Interaction HoneypotsHigh-Interaction Honeypots
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Low-Interaction Honeypots
Basic function is to detect unauthorized attacks and system scans
Easy to build, configure and deploy
Basic details of attack that can be captured:
• Time and Date
• Source, Destination IPs, ports
Known attacks can only be detected
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Medium-Interaction Honeypots
Provides virtual environment to mislead the attacker
Captures payload due to worms
Consumes time to build, install and configure
Enhanced functionality increases complexity and risk
Provides details such as IRC chat of intruders
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
High-Interaction Honeypots
Provides in-depth attack information such as keystrokes and conversations
Allows attacker to access real operating system and compromise
Placed behind a firewall, to avoid attacks
Complex functionality requires more time to build, deploy and configure
Prevents compromised systems to attack others services
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Homemade Honeypots
Created using familiar tools with flexibility to add desired functionality
Designed to meet specific security concerns
CagedPort monitoring
Homemade Honeypots
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Homemade Honeypots: Port-Monitoring Honeypots
Creates an open socket, which listens to the port, identifies, captures and logs the connection attempts
Value lies in detecting, capturing and research
Logs of attack information are used to research and learn the intruder activities
Limits attacker to access few functionalities
Use of insecure environment compromises the system
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Homemade Honeypots:Jailed Environment
Medium interaction honeypots
Services are placed inside jails confine attacks to that jail
Allows the intruder to attack, but not to compromise the services
Used as research and production honeypots
Collects data using logs and utilities
Services in jails are exposed to threats
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
ManTrap
High-interaction commercial honeypot that provides intruder with functionality of real operating system
Value is in prevention, detection, responding and research
Detects attacks on ports which is not listening using passive sniffer
Captures details of attack at network level
Restricted to use on Solaris platform
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Honeypots
Commercial Honeypots• KFSensor• NetBait• ManTrap• Specter
Open Source Honeypots• Jackpot • BackOfficer Friendly• Bait-n-Switch • Bigeye • HoneyWeb• Deception Toolkit
• LaBrea Tarpit• Honeyd• Honeynets • Tiny Honeypot
Commercial and open source Honeypots available on the Internet
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Honeypot-The Deception ToolKit
A generic interface that listen ports and process incoming requests
Sends sensible responses to deceive
Maintain log files and checks input to the system
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Honeypot-Jackpot
SMTP relay honeypot developed in Java
Accepts incoming Internet mail messages and relays selective messages
Detains spam data as a collection of web-pages
Executes proxy-tests on hosts that connect to TCP port 25
Supports tarpit facility
INCOMIN
G
OU
T GO
ING
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Honeynet
High-interaction productive honeypots
Placed behind firewalls to prevent attacking other systems
Value is in research, as they provide in-depth details of intruder activities
Detects unique traffic
Identifies attack strategy and undiscovered tools
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Working of Honeynet
Network of highly controlled systems in which services and systems are placed
Architecture is built to:
• Control data:
– Minimizes risk of compromise
• Capture data:
– To identify attack strategy
• Collect data:
– To correlate attack details from various networks
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
The Honeynet Project
Voluntary organization of the security professionals without anymotive for earning profits
Fully dedicated to help on security related features
Honeynet Project have following four phases
• Phase I
• Phase II
• Phase III
• Phase IV
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
The Honeynet Project
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Where to Place Honeypot?
Placed where there is maximum riskDeployment in risk areas as DMZ increases its valuePlacement for Detection:• Behind security parameter
Placement for Response:• Within security parameter
Placement for Research:• Behind firewall
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Legal Issues Related to Honeypots
No direct mention of security issues of honeypots in the U.S law, but statutes regarding same are mentioned in federal level
Issues:
• Privacy:
– Ensures that privacy is not exploited
• Entrapment:
– Enforcing a person to commit crime and be caught
• Liability:
– Actual responsibility of honeypot in discovering threats
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Summary
Bastion host acts as a gateway between organizational intranet and outside network The honeypots are classified into three based oninteraction
A honeypot is security resource whose value lies in being compromised
Mantrap is high-interaction commercial honeypot that provides intruder with functionality of real operating system
Jackpot is a SMTP relay honeypot developed in Java
Honeynets are high-interaction productive honeypots
Honeypot Project is a Voluntary organization of the security professionals without any motive for earning profits