Honeypots and Network Security Research by: Christopher MacLellan Project Mentor: Jim Ward EPSCoR and Honors Program Honeypot? What is it? Name originates from pots of honey used to trap unsuspecting wasps. This same concept can be applied to computers to catch unsuspecting malicious computer users. Honeypot? What is it? (cont.) Honeypot Components Fake computer system (virtual or physical) No legitimate production usage or traffic Looks like a tantalizing production system Logging and alert mechanisms in place Physical vs. Virtual Honeypots • Physical Honeypots are actual (physical) computers that are set up with additional logging and security mechanisms. • Virtual Honeypots are a software package that allows you to fake numerous computer distributions at various places over the network from one computer. Hybrid System • This is the system I recommend. It uses virtual Honeypots to direct traffic to the physical Honeypots. Honeypot Implementations Commercial Honeypots Cost Money Easy to use but not easy to modify Open Source Honeypots Free Difficult to use Poor documentation Research Objectives Configure and run an open source honeypot (honeyd). Build a live linux cd containing this already configured open source honeypot. Analyze the cost and security benefits of this implementation. Honeyd Honeypot Was able to configure and run a honeyd honeypot. Discovered issues with honeyd that optimally would need to be fixed. New scanner signature methods allows malicious users to detect the honeypot. KNOPPIX live CD Used the KNOPPIX live CD framework to build a custom live CD. Was able to get this working and deploy honeyd on computers with CD drive in under 5 minutes. Cost and Security Benefits Benefits Cost Easy and versatile to deploy Read-only makes reseting safe and easy Make a mistake? Simply reboot. Conclusions The implementation I created addressed the problems with open source Honeypots. Honeyd needs some improvements to make this system as complete and functional as it could be. Moving Honeypot technology to easy to deploy read-only mediums is the best implementation. Thank you Thanks to the Wyoming EPSCoR program for the funding to work on this project. Thanks to the UW Honors Program for all their support and guidance. Thanks to Jim Ward being my project mentor.