KFSensor Professional description
A honeypot Intrusion Detection System (IDS)
KFSensor Professional acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and trojans.
By acting as a decoy server it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone.
KFSensor Professional is designed for use in a Windows based corporate environment and contains many innovative and unique features such as remote management, a Snort compatible signature engine and emulations of Windows networking protocols.
With its GUI based management console, extensive documentation and low maintenance, KFSensor provides a cost effective way of improving an organization's network security.
It takes just five minutes to set up and become operational. No special hardware is required and its efficient design enables it to run even on low specification Windows machines.
Its straightforward Windows interface controls all functionality. There is no need to edit complex configuration files and it comes pre-configured with all the major systems services required.
KFSensor Professional works by simulating systems services at the highest level of the OSI Network Model - the application layer. This enables it to make full use of Windows security mechanisms and networks libraries, reducing the risk of detection and compromise by not introducing additional drivers and custom IP stacks. A machine running KFSensor Professional can be treated as just another server on the network, without the need to make complex changes to routers and firewalls.
KFSensor Professional provides immediate benefits in revealing the nature and quantity of attacks on a network. By consolidating all the network traffic of an attack into a single alert KFSensor Professional makes it easy to explain a security threat to non-specialist staff.
The information KFSensor Professional generates can be used to refine firewall rules and produce new signatures for network intrusion detection systems. KFSensor Professional is an extremely cost effective way of enhancing network security infrastructure.
Here are some key features of "KFSensor Professional":
Monitors every port:
· KFSensor Professional monitors attacks on every TCP and UDP port, as well as detecting ICMP or ping messages. It also monitors all network activity of native Windows server applications. Allowing these to act as part of a honeypot configuration.
· KFSensor Enterprise Edition contains the ability to manage and monitor multiple honeypot installations. Events from different sensors across the network are concatenated in real time allowing an immediate view of attacks as they happen.
· KFSensor uses 3072 bit RSA public/private key authentication and 256 bit AES encryption to provide the top of the range security for communication between sensors.
IDS signature engine:
· KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system.
· Its fast signature search engine, has a minimal impact on system performance and can handle thousands of rules.
· It is easy to update the rulebase with new rules from different sources and to create new rules directly from an event.
· KFSensor, the Windows honeypot server system, features a number of different types of emulation, both simple and complex. These can even be extended by the use of custom scripts.
· KFSensor can emulate different services on multiple ports and on different host IP addresses. It is possible to run any emulation on any port.
· Different honeypot scenarios can be defined, containing different port and service configurations. It is easy and quick to switch between scenarios while the system is running.
· The most basic type of trap, it holds open a port; reads the data sent to it and records the event. Most useful in detecting worms.
· More sophisticated than a port listener, the Banner is able to display either a service prompt or error message message. Although limited in its capabilities, the Banner has the advantage of being very easy to configure by a novice user.
· Emulates the Windows command shell, otherwise known as a DOS box. A number of worms bind CMD.EXE to a listening TCP port.
· This is a fully working web server that correctly emulates Microsoft's IIS web server. It handles the more obscure aspects such as range requests and client side cache controls.
· The Simple Mail Transfer Protocol emulation is capable of acting as a open relay server, the perfect trap for hackers looking for a target to relay spam.
Window networking / NetBIOS / SMB / CIFS:
· KFSensor can emulate all four of Microsoft's NetBIOS and SMB/CIFS services. Insecure file shares are one of the most common and potentially dangerous security vulnerabilities exploited. KFSensor decodes NBT and SMB packets and logs them in a human readable format and even enables worms to upload malicious code to a secure area, for later analysis.
· KFSensor supports 4/4A/5 SOCKS protocols and can be configured with eight levels of emulation behaviour. SOCKS servers are frequently used to relay spam and to launch attacks on other servers. KFSensor contains advanced depception technology that allows spammers to believe their mail is getting through whilst secretly blocking mail from being relayed.
MS SQL Server:
· Supports both TCP and UDP SQL Server ports and can capture passwords used in intrusion attempts.
· File Transfer Protocol emulation.
· Post Office Protocol emulation.
· Telnet server emulation.
· Terminal Server is a Microsoft application that allows remote users to log on to a server.
· All the network traffic that makes up a connection is concatonated into a single event, countering the problem of message fragmentation. As well as recording items such as the start and end time of an attack, the visitor's IP and port addresses, all the data transfered both to and from the honeypot is recorded.
Configurable display columns:
· The interactive event list can be configured from any combination of the thirty possible columns types available.
View by port:
· KFSensors Explorer type interface includes a port tree structure that color codes those ports depending on how recently the have been attacked. Selecting a port automatically filters the events to show only those targeted at that port.
View by visitor:
· The port view can be exchanged to a tree of visitors. This allows the events to be filtered to just show those events from a particular visitor.
· Each event is assigned a severity. The severity allows more serious attacks to be identified by color coding and different actions can be link to different serverities. For example an email alert may only be sent based on a high severity event.
· In order to inform you when an intrusion occurs KFSensor supports a number of different mechanisms to alert you. These can be configured to only activate when a specified severity is detected.
System tray alerts:
· KFSensor provides a visual alert by displaying an alarm icon in the system tray at the bottom right of the Window's desktop.
· This flashes either yellow or red when an alert is detected.
· KFSensor can play an customizable alert sound when an event occurs.
External application alerts:
KFSensor provides the ability to invoke an external application to handle an alert event. This flexible feature can have many different uses such as:
· Creating your own custom event log file
· Launch an immediate port scan on the IP address of a visitor to the honeypot
· Send alerts to a third part application
Export logs in multiple formats:
· Events can be exported to file in the following formats; XML, HTML, tab separated and CSV.
· KFSensor runs as a systems service, allowing it to start before a user has logged on.
· KFSensor has been designed according to the least privilege principle. Unlike most other products KFSensor does not need Admin or root privaledges to function. By taking advantage of Window's native security mechanisms the host machine can be secured against any possible compromise of the KFSensor system.
High integrity version:
· KFSensor is available in a special high integrity version, which has the potentialy most risky honeypot features compiled out. This makes it suitable for use in the most security sensitive areas of an organisation.
· Detailed help documentation is available for all aspects of the product and there is a detailed guide on how to configure and get the best out of product.
· Processor 1.5Ghz or greater
· 500mb hard disk space
· 2Gb RAM
· 1 LAN card or more
· Some feature restrictions and does not contain the remote management functionality
What's New in This Release: [ read full changelog ]
Windows audit monitoring:
· The best way for a honeypot to maximize the information on an attack is to give as realistic a service response as possible to an attacker. The ideal is to use the real service, however this has not been practical due to the risks of compromise involved.
· In the past KFSensor has attempted to replace every Windows service with a simulated service to allow safe detection of threats. Windows services such as IIS and RPC were notoriously vulnerable to attack, especially on machines connected directly to the public Internet.
· Microsoft have made huge improvements to the security of Windows in recent years and a properly patched modern version of Windows is safe enough to use on an internal network, without taking special measures to lock it down. Such machines are still a target for attack though weak passwords on RDP and open file shares are exploited.
· KFSensor has long been able to monitor the network traffic of other services and log events in the same way as i...