lab7_honeynets_29102007

lab7_honeynets_29102007 - ECE 4112 Internetwork Security...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
ECE 4112 Internetwork Security Lab 7: Honeypots and Network Monitoring and Forensics Group Number: _______________ Member Names: _________________________ _________________________ Date Assigned: October 16, 2007 Date Due: October 23, 2007 Last Edited: October 29, 2007 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due . Goal: To understand the concept of a Honeypot and how it can prove useful to administrators and network professionals when correctly implemented inside their network topology. Also covered in the lab is he concept of Forensics, which is a way of looking at data you’ve collected in order to find out what sort of exploit was run on your machine. Summary: In this lab you will first set up a couple of different honeypots, one on Windows and then one on Linux, to monitor network traffic and look for anything suspicious. You will also use snort to log data and as an Intrusion Detection System. On the forensics side you will examine a few files of captured data from real attacks and see if you can find out what was going on. Finally you will look at a forensic tool and see some of its uses. Background and Theory: Honeypot What is a honeypot? A honeypot is a system whose value lies in being probed, attacked, or otherwise taken advantage of by a blackhat. This idea may sound somewhat counterintuitive at first; why would we want to give one of our valuable systems over to the other side? [1] The answer to this question depends on what we are trying to accomplish. Spitzner classifies honeypot solutions into two broad categories: production and research. For research purposes, we simply want to collect as much information on our attackers as possible. Production systems are generally used as an added layer of network security. The value of any network security device can be quickly disseminated when one considers the three keys to network security: prevention, detection, and response. 1
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Consider “The Burglar Alarm Analogy:” Deadbolting your front door is a way to prevent thieves from entering. A security alarm can detect that thieves got past the deadbolt indicating that the preventative measures were not successful. With any luck, your system dials the police who then respond by showing up at your house with guns blazing. [1] A honeypot is the electronic equivalent of an unlocked door, so we can’t expect it to add much to the protection layer. It is in the detection of unwanted intruders that a honeypot adds the most value. There is one important reason for this. A honeypot, by definition, should have no legitimate traffic. Consider how much information an IDS system has to sift through, or how many packets are seen by your router or firewall in one day. Entirely too much to sit and watch go by on the wire. If you’re hacked, it will be
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 78

lab7_honeynets_29102007 - ECE 4112 Internetwork Security...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online