Honeywall CDROM

1
Honeywall CD-ROM
2
Developers and Speakers

• Dave Dittrich
• University of Washington
• Rob McMillen
• USMC
• Jeff Nathan
• Sygate
• William Salusky
• AOL

3
A case for Honeynets

• Research of attack technologies and methodologies
• Root-cause analysis of attack motives
• "Target of choice or target of chance?"
• Getting the problem statement right Dr. Dan
  Geer, Journal of the Advanced Computing Systems
  Association (USENIX) - June 2003, Volume 28,
  number 3
• Self defense
• Incident response and forensic analysis
• Deception and deterrence

4
Problem Simplify Honeynet deployment

• Current Honeynets deployments require
  considerable effort.
• Lack of standardized deployment platform.
• Lack of standardized configuration mechanism to
  faciliate large-scale Honeynet deployment.
• How can Honeynet deployment (especially
  large-scale deployments) be simplified?
• How can Generation II Honeynet technologies be
  packaged into an easy to use system?

5
Solution The Honeywall

• A self-contained Honeynet data control and data
  management system
• An easily configurable system
• Simplify deployment and management
• Build a system using a bootable CD-ROM.
• Simplify configuration and management using plain
  text files.
• Use commodity PC hardware to minimize costs.
• Offer routing and bridging functionality to ease
  network integration.
• Minimize customization efforts with built-in
  customization hooks.

6
Honeywall overview

• Bootable Linux CD-ROM
• Utilizes existing Honeynet data control and data
  capture technologies.
• iptables (custom Honeywall configuration via
  rc.firewall)
• Snort-inline
• Snort
• Menu-driven configuration interface for easy
  configuration.
• Single configuration file for interactive or
  automated configuration.

7
Honeywall implementation

• Bootable Linux system from ramdisk, logging to
  hard disk
• Boot image consists of Linux kernel
• Kernel image contains compressed initial ramdisk
  image to bootstrap system
• Second stage boot process contains more complete
  Linux system
• Generation II Honeynet gateway in a box
• Data control system using iptables
• Operates as a routing or bridging device
• Makes a reasonable attempt to prevent stepping
  stones

8
Honeywall implementation (continued)

• Complex attack detection/mitigation using
  Snort-inline
• Hooks into iptables using queues (libipqueue),
  performs Gateway Intrusion Detection
• Detects low-level protocol attacks abuses
• Can modify outgoing attacks to prevent compromise
  of third-party systems
• Data capture facilities using Snort and
  Snort-inline
• Captures every packet traversing the Honeywall

9
Honeywall implementation (continued)

• (Data capture..)
• Generates alerts for events matching conditions
  within the Snort and Snort-inline
• Facilitates forensic analysis of network data to
  identify new tools, techniques, trend and
  behavioral analysis of attack incidents
• Leverages commodity PC hardware and a CD-ROM for
  minimal deployment effort
• Extensible shell scripting architecture

10
Honeywall boot process

• Honeywall initialization
• Extracts tar/gzip compressed archive of
  supplemental commands
• Look for pre-configured Honeywall hard disk
• Perform final configuration of data control
  components
• Execute custom.sh and other hook scripts
• Start administration interface

11
Honeywall customization

• Floppy disk configuration file
• Modify ISO w/custom script before burning
• Just use custom.sh to set variables, start things
• Use custom.sh to communicate with central server
• Use SSH to set variables from central management
  host
• Rip ISO apart, modify file system, then rebuild
• Allows adding new programs, new services, new
  capabilities
• Supports development independant of the Honeynet
  Project

12
Honeywall deployment

• Requires a PC hardware with 3 network interfaces
  using IDE disks and 256MB RAM
• Connected to an existing network of hosts by
  placing the Honeywall systems between possible
  attackers and the Honeynet systems

13
Honeynet deployment (continued)
14
Future work (a production system)

• Integration of Honey Inspector UI
• Web interface to customize ISO
• Command shell for remote mangement
• Remote Honeywall Manager

15
Resources and questions

• Email
• cdrom_at_honeynet.org
• Watch the tools section on
• http//project.honeynet.org
• Questions?

16
Customization in more detail

• How a CD-ROM is born
• Modification of ISO image
• De/reconstruction of ISO image