2007 Issue 2 - Raytheon

More documents

Recommendations

Info

Feature Comprehensive Mission Assurance involves the disciplined application of systems engineering, thorough risk management, superior quality and sound management principles to achieve mission success. In a DoD network-centric environment, the warfighter is faced with both wired and wireless network–based threats. To mitigate wireless threats, innovative software technologies can be applied to identify wireless attacks and perform risk management. One such technology is the wireless honeypot. A honeypot is an information system resource whose purpose is to attract attackers, provide them with misinformation, cause confusion and monitor their actions. Even more importantly, a honeypot gathers valuable information to determine if a threat exists, and then provides details to help mitigation of these threats. A wireless version of a honeypot entices its attackers through a simulated wireless access point. Raytheon Network Centric Systems in St. Petersburg, Fla., recently sponsored a wireless honeypot research project at the University of Florida to help address wireless threats. The goal of the project, which was dubbed “The Hive,” was to design, build and test a simulated environment for a wireless networked system, or honeypot. In order to track and log suspicious nodes and traffic in mobile environments, the Hive research team developed a wireless honeypot as a live Linux bootable mini-CD. The Hive Linux is a Live-CD version of Debian Linux that was scaled down for operating system security, and contains the tools needed to run a standalone wireless honeypot with virtual services. It is currently available at the Hive’s project website 1 . 14 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY Wireless Honeypots Innovative software technologies to identify wireless attacks and perform risk management Using a Hive Linux CD, any personal computer (including laptops) can easily be turned into a wireless honeypot. The experimental system operates on the IEEE 802.11g wireless standard and instantiates a honeypot as a simulated wireless access point with tracking capabilities. The Hive honeypot runs Honeyd, a GNU Public License (GPL) open source honeypot program. Honeyd is described on its website as “… a small daemon that runs on both UNIX-like and Windows platforms. It is used to create multiple virtual honeypots on a single machine. Entire networks can be simulated using Honeyd. Honeyd can be configured to run a range of services like FTP, HTTP or SMTP. Furthermore, a personality can be configured to simulate a certain operating system. Honeyd allows a single host to claim as many as 65536 IP addresses.” 2 The Hive lures its attacker by broadcasting a modifiable service set identifier (SSID) over the network. As an attacker attempts to connect to the honeypot, its Dynamic Host Configuration Protocol (DHCP) assigns the attacker an Internet Protocol (IP) address so that the attacker is placed on a simulated network. For the proof of concept, it was important to allow the attacker to see and gain access to the network. (An encrypted and secured wireless network would make the establishment of a network connection far more difficult, but may lure the more experienced attacker.) One of the first things that an attacker may do is to “fingerprint” computers that are local to their subnet. This can be done by port-scanning local nodes. In our case, the attacker port-scans the honeypot’s virtual services. The system tells the attacker that ports 22, 23, 80 and 110 are open, while Honeyd logs the probe. When an attacker connects to port 22 secure shell (SSH) or port 23 (Telnet), an authentication script is executed. The attacker may try a brute force attack to guess username and password combinations; such an attack can be done easily with a program named Hydra 3 , and all connection attempts can be logged. Once the attacker gains access, all commands entered are logged. This connection is similarly made for the virtual services of port 80 Web and port 110 Post Office Protocol 3 (POP3). The honeypot itself is composed of a Linux operating system running a DHCP server, HostAP, Honeyd, and Sebek with Syslog. HostAP is a driver for Prism2-based wireless client cards that allows them to appear and act as a wireless access point. Sebek 4 is a data capture tool designed to capture the attacker’s activities on a honeypot, without their knowledge. Syslog is the system logger, which is similar to the Event Viewer in Microsoft ® Windows. The Hive was able to integrate and test the DCHP server, some scripts, the logging with Sebek, Honeyd, Syslog and the wireless access point emulation. This integration cre- Attacker 802.11 Virtual Services Honeypot Simple Wireless Honeypot Diagram
ated a functional prototype wireless honeypot. Additional work would be necessary to keep this system from being used as a tool for an attack. For instance, honeypots have been used to collect malware 5 . Technical challenges are not the only issues we must address to make wireless honeypots practical. Legal issues also impede the deployment and use of wireless honeypots. For instance, federal wiretap laws prohibit interception of electronic communications, including traffic monitoring across a network, except for network protection. However, these laws do not easily apply to honeypots, because a honeypot is set up with the intention of being attacked. Furthermore, legal analysts believe the use of honeypots does not lead to entrapment, because entrapment occurs when someone is enticed to do something they would not normally do. Therefore, the question that needs to be asked is, “Do you own all of the resources and how will you be using this information?” If your network is isolated and cannot cause harm to others, it may be feasible to run a honeypot. The information gleaned may enable increased security measures in areas that present the highest risk. The following resources provide further insight into creating and operating honeypots: • The Hive (http://www.cise.ufl.edu/class/thehive) • Honeyd (http://www.honeyd.org) • Honeynet (http://project.honeynet.org) • Project Honeypot (http://www.projecthoneypot.org) • The Distributed Honeynet Project (http://www.lucidic.net) • Malware Collection (http://www.mwcollect.org) • Wireless Honeypot Trickery (http://www.securityfocus.com/ infocus/1761) • Randall Brooks, CISSP, ISSEP randall_s_brooks@raytheon.com 1 http://www.cise.ufl.edu/class/thehive 2 http://www.honeyd.org 3 http://www.thc.org/thc-hydra 4 http://www.honeynet.org/tools/sebek 5 http://www.mwcollect.org 6 For a discussion of legal issues see http://www.securityfocus.com/infocus/1703 Feature Raytheon Human Review Manager The ability to effectively share information among security domains of differing classification levels, and with coalition partners, is essential to the daily operations of our customers. The challenge with these data transfers is that they must be carefully scrutinized to ensure that inappropriate data is not inadvertently released, and harmful data is not imported into a domain. Raytheon has a long history of providing solutions that meet our customers’ needs in this area. One of those is Raytheon’s High Speed Guard, which is designed to provide data transfers and structured data reviews in a multi-security level (MSL) environment. However, release of data that is not well structured (e.g., images, MS Office files, etc.) usually involves a human review of the data being released. Human review has traditionally been performed largely through an inefficient and unstructured manual release and review process. In early 2005, Raytheon Intelligence and Information Systems undertook an effort to improve this process by creating the Human Review Manager (HRM) — an extendable Web-based workflow system for streamlining and automating (where possible) the human review of file transfers from one security domain to another. The HRM was specifically engineered to complement the Raytheon High-Speed Guard and support its digitally signed release format, which allows data that has been reviewed and signed to seamlessly flow among interconnected security domains of differing classification levels. The HRM also works independent of the Raytheon High Speed Guard and supports data release by a number of mechanisms, including file transfer protocol (FTP), secure shell (SSH) and CD/DVD media burning. The HRM can easily be extended to support other release mechanisms through its “widget” plug-in framework. An innovative aspect of the HRM is its power and flexibility in the data release/review process. In addition to its widget architecture, the HRM has a workflow engine (Pending Patent #064747.1150) that allows the HRM to support complex release processes, including fully automated non-human processing. The HRM can also support a similar but complementary function of importing data through a structured workflow process. The HRM is capable of multiple workflows, allowing it to manage data flows from multiple destinations and sources simultaneously. These workflows are defined and managed by a privileged user and are configured through the HRM’s built-in Workflow Editor. Under a typical use scenario, the HRM workflow allows a file owner (publisher) to submit one or more files for review as part of a single release request. The HRM accepts these requests through either the Web-based GUI Request Manager interface or through the use of a JAVA Request Client API. Files can also be imported into the HRM from local file systems or through FTP/SSH interfaces with appropriate widgets. As part of the release process, the HRM allows a publisher to choose the set of actions to be performed on a particular data release request through selecting a workflow. Each of these actions is carried out by HRM widgets as the workflow is advanced through the release process. As the HRM steps through these widgets, it not only enforces a consistent release and review process, it can also automate tedious or time-consuming tasks for the reviewer, including scanning for imbedded inappropriate data (e.g., “dirty words” that cannot be released, unapproved file-types, or malicious content such as viruses). Continued on page 16 RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 15
Page 1 and 2: Technology Today HIGHLIGHTING RAYTH
Page 3 and 4: Technology Today is published quart
Page 5 and 6: Ensuring That Our Systems Can Be Tr
Page 7 and 8: ISSE Process DIACAP DoDIIS NIST Dis
Page 9 and 10: al information systems (MNIS). MNIS
Page 11 and 12: Data Validation Data Feed 1 Large F
Page 13: diagnose attacks/bugs/errors; gener
Page 17 and 18: Feature Information Assurance and S
Page 19 and 20: Figure 1. User CONOPS/E-mail Figure
Page 21 and 22: L E A D E R S C O R N E R Heidi Shy
Page 23 and 24: onTechnology Warfighter Challenges
Page 25 and 26: Short-term Benefits Faster Code Dev
Page 27 and 28: onTechnology The Benefits of Galliu
Page 29 and 30: µ, ε Space k = ω εµ M A T E R
Page 31 and 32: 2007 SEPG Conference Continuing its
Page 33 and 34: Getting to Know Your Raytheon Certi
Page 35 and 36: Vision/Direction Architecture/Style
Page 37 and 38: When you help a student master the
Page 39 and 40: International Patents Issued to Ray

2007 Issue 2 - Raytheon

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?