Marcus J. Ranum

Building Honey Pots for Intrusion Detection
This class provides a technical introduction to the art of building honey pot systems for intrusion detection and burglar-alarming networks. Students completing this class will come away armed with the knowledge that will enable them to easily assemble their own honey pot, install it, maintain it, keep it secure, and analyze the data from it.
Topics include:
- IDSes
- Fundamentals of burglar alarms
- Fundamentals of honey pots
- Fundamentals of log-data analysis
- Spoofing servers
Overview of our honey pot’s design
- System initialization
- Services
- Spoofing server implementation walkthrough
- Multiway address/traffic manipulation
- Logging architecture: syslogs, XML logs, statistical processing
- Simple tricks for information visualization
Crunchy implementation details
- How to write spoofing rules
- How to write log filtering rules
- How to get help in analyzing attacks
- Keeping up to date
Auxiliary materials: Attendees will receive a bootable CD-ROM containing a mini UNIX kernel
and preconfigured software, and will also have source-code access to the honey pot buildingtoolkit. Attendees may also wish to review The Honeynet Project, eds., Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community (Addison-Wesley, 2001).
Marcus J. Ranum founded and served as CTO of NFR Security, Inc. He is a consultant and has been working in the computer/network security field for over 14 years. Marcus is credited with designing and implementing the first commercial Internet firewall product. He also designed and implemented other significant security technologies, including the TIS firewall toolkit and the TIS Gauntlet firewall. As a r esearcher for ARPA, Marcus set up and managed the Whitehouse.gov email server. Widely known as a teacher and industry visionary, he has been the recipient of both the TISC Clue award and the ISSA lifetime achievement award. Marcus lives in Woodbine, Maryland, with his wife, Katrina, and a small herd of cats.
Who should attend:
System and network managers with administrative skills and a security background. The tutorial examples will be based on UNIX/Linux. While the materials may be of interest to a Windows/NT administrator, attendees will benefit most if they have at least basic UNIX system administration skills.