A Distributed Honeypot System for Grid Security1 Geng Yang1, Chunming Rong2, and Yunping Dai 1 1
Department of Computer Science and Technology Nanjing University of Posts and Telecommunications, Nanjing 210003, CHINA
[email protected] 2 Department of Electrical and Computer and Engineering Stavanger University College, P.O.Box 8002, N-4068, NORWAY
[email protected]
Abstract. In this paper, we propose a distributed honeypot model for grid computing system security. Based on the IDS Snort and the firewall IPTable, we set up a testing environment and use a simple watching dog to manage capture data. We also discuss implementation of the system and some future research topics.
Keywords: Honeypot, Grid Computing, Distributed System, Network Security
1 Introduction Computer network security has been focus on passive defense strategies using tools and concepts like Firewall, Intrusion Detection System (IDS). Honeypot is a computer security concept introduced in [1,2]. A Honeypot is essentially a decoy computer system designed to simulate a real legitimate system with little or no defense in order to attract hacker to attack. By analyzing data gathered from one or more Honeypot systems, for example a Honeynet [3,4,5], we may gain more knowledge and intelligence data about the methods, tactics and tools used by the blackhats. Using the information obtained, we may find bugs in computer system or in network system, and then improve the computer or network security in the real computer systems accordingly.
2 Principal of Honeypot A Honeypot is a program which appears to be a service, set of services, an entire operating system, or even an entire network, but in reality it is a tightly sealed system (like a sandbox) built to lure and contain intruders while the real system and data is 1
This work is supported by The Natural Science Foundation of Jiangsu Province(BK2003106).
safely running apart from the Honeypot. The strategy behind Honeypot is to shut intruders safely from production systems and to obtain intelligent on the intruder by monitoring and logging every actions the intruder makes including access attempts, keystrokes, files accessed and modified, and programs executed. Figure 1 shows an example of how Honeypot can be deployed in a network for protection purposes. In this example, Honeypot-A simulates a system without any firewall or Intrusion Detection System (IDS);
Internet
Firewall / IDS Honeypot-A Honeypot-D
DMZ network
Web-server
Honeypot-B Mail-server
Intranet Honeypot-C
Fig. 1. Example of Honeypots deployment in a network
The most valuable information we gain is by tracking an intruder in a Honeypot and revealing his tactics and maybe ultimately the motives so that the real production system can be better protected using the information gathered. This will give us a early warning on the system vulnerability before they are targeted by blackhats.
3 Honeypot for Grid Security
3.1 Grid Computing Environment In a grid computing system, facility (or we call services) should be provided for users because those are open sources to public. This probably gives a chance for hacker to enter the system, and finally cause a serious security problem. Hackers could enter the system easily and abuse the sources or use them improperly.. Even though there are some user control mechanism or some other security tools in the system. Security problem is always a big challenge we face, like the same situation as that in LAN. In fact, it could be worse in grid computing networks that in traditional networks, because of sharing resources.
In order to protect grid computing environments, we propose to use a distributed honeypot system as a supplemented security tool to keep away hackers from our real system and trap them into a honeypot. 3.2 A Distributed Honeypot System for Grid Security A distributed honeypot system is shown in Figure 2. In each source provider, a redirecting module (RM) is run , which is a program module. A source provider could be a computer or a server in a grid computing system. When a suspicious user tries to enter a source provider in a grid computing system, the RM will detect it and redirect it to a fake network, instead of preventing the suspicious user. In the fake local network, many services are available for the user, like FTP, Web, and e-mail services, etc. A management system of the honeypot in the fake network observes actions of the user, collects information and analyzes the data., which gives us useful information about the user, particularly about intention of the user and the services asked. In a distributed honeypot system, Honeypot are installed in one place only. All suspicious users are redirected into the system. This kind of centralized management makes it effective to collect data and analyze the data. Otherwise, we have to run a honeypot in each source provider in the grid computer system. Computer and human sources are wasted. Moreover, maintaining many Honeypot is difficult than mentioning only one of them.
3.3 Implementation of the Distributed Honeypot System A honeypot called MagicNet[6] is set based on the IDS Snort, the firewall system IPTables and RedHeat 9.0 Linux system. In order to protect Snort system, no IP address is used for Snort. Data capture is done from three layers. First, Snort captures all data by checking packets and stores the data in system log file syslog which is inserted into a database system MySql. Second, the firewall IPTables records all access in the log files syslog and msyslog which are also merged into the database. Note that if the file syslog is used, the other one msyslog is screened automatically. Finally, the operating system log file is also used to capture data. The detecting techniques used in IDS is employed to realize the RM module. According some rules, for example checking head data of packets to find out suspicious users, we can redirect them to the honeypot. This program module can be installed in all sources provider in the grid computing system. Moreover, with the developing of mobile agent technology, we could also use an agent to send the RM module to the source provider. This will be another research topic in our future. The grid computing environment is built based on Globus 3.0. A software swatch (simple watchdog) is used to manage and analyze the data. One a suspicious user enters the system or makes some actions, the watchdog will give an alarm in various ways, such as sending a message to echo or administrator.
4 Conclusions We proposed a distributed honeypot model for grid computing system. Based on the IDS Snort and the firewall IPTable, we set up a testing environment. Note that in this distributed honeypot model, the redirecting module plays an important role. We took some detecting techniques used in IDS to identify abnormal behavior, and a single watchdog to manage and analyze the capture data. Many topics could be done in future research. It could be interesting to develop some new algorithms in the RM and some new methods to capture data. A data management system is certainly another research domain.
References 1. L. Spitzner: Honeypot – Tracking Hackers, Addison-Wesley (ISBN 0321108957), 2002 2. L. Spitzner: “To build a Honeypot”, Cryptogram Newsletter, pp. 1-2, June 15, 2001 3. The Honeynet Project: Know Your Enemy:Revealing the Security Tools, Tactics, and Motives of the Blackhat Community.Addison-Wesley (ISBN 0201746131), 2001 4. The Honeynet Project, Know Your Enemy:Honeynets, April, 2001 5. C. Stoll: The Cuckoo’s Egg, Tracking a Spy Through the Maze of Computer Espionage,.Pocket Books, 2000 6. Chunming Rong, Geng Yang. Honeypots in Blackhat Mode and its Implications, Proceedings of 4th Int. Conf. On Parallel and Distributed Computing (PDCAT’03) , Chengdu, China,2003:185-188
