Abstract
A Honeypot is used in the area of computer and Internet security. It is a resource
which is intended to be attacked and compromised to gain more information
about the attacker and the used tools. It can also be deployed to attract and divert
an attacker from their real targets. One goal of this paper is to show the
possibilities of honeypots and their use in a research as well as productive
environment.
Compared to an intrusion detection system, honeypots have the big
advantage that they do not generate false alerts as each observed traffic is
suspicious, because no productive components are running on the system. This
fact enables the system to log every byte that flows through the network to and
from the honeypot, and to correlate this data with other sources to draw a picture
of an attack and the attacker.
.
Chapter 1
Introduction
Global communication is getting more important every day. At the same time,
computer crimes are increasing.That the Internet security is very important, it is
necessary to have tools for detecting and preventing attacks. It is interesting to
know these artifacts, which gains more information about attackers.
A popular myth about preventing attacks is to know their attacking
strategies. By knowing attack strategies counter measures can be improved. A
perfect tool for this can be a Honeypot. Basicaly it is used to gather as much
information as possible about attackers. Here we will have look at
Honeypot concept, their level of involvement, topologies, and the
Honeynet.
1.1
Overview
In this chapter in section 1.2, the requirement of Internet security is
being discussed. Problems associated with available tools for Internet
security .In section 1.3, by considering these problems let us recognize
the fundamental importance of Honeypot. Role of Honeypot in Internet
security. Section 1.4 gives an overview of the whole report. In this
section we have focused our attention on main points covered in the
report in abbreviation.
1.2 Internet security
Usually, the Internet security is a complex task. The computer crimes are
increasing day by day. It is very important to have attention to these crimes and
the net Hackers- Crackers. These are the peoples having great influence on the
Internet. We must have tools to detecting these people and preventing attacks
As in the military, it is important to know, who your enemy is, what kind of
strategy he uses, what tools he utilizes and what he is aiming for. Gathering this
kind of information is not easy but important. Generally, such information
gathering should be done silently, without alarming an attacker. All the gathered
information leads to an advantage on the defending side and can therefore be used
on productive systems to prevent attacks.
1.3 Role of Honeypot in Internet security
A honeypot is primarily an instrument for information gathering and learning. Its
primary purpose is not to be an ambush for the blackhat community to catch them
in action and to press charges against them. The focus lies on a silent collection of
as much information as possible about their attack patterns, used programs,
purpose of attack and the blackhat community itself. All this information is used
to learn more about the blackhat proceedings and motives, as well as their
technical knowledge and abilities. This is just a primary purpose of a honeypot.
There are a lot of other possibilities for a honeypot - divert hackers from
productive systems or catch a hacker while conducting an attack are just two
possible examples.
Honeypots are not the perfect solution for solving or preventing computer
crimes. Honeypots are hard to maintain and they need operators with good
knowledge about operating systems and network security. In the right hands, a
honeypot can be an effective tool for information gathering. In the wrong,
unexperienced hands, a honeypot can become another infiltrated machine and an
instrument for the blackhat community.
1.3 Outline of the Report
The remainder of this report is organized as follows. In chapter 2, a defination of
honeypot is given and discussed too. The value of Honeypot, what can a honeypot
provide, what can it be used for?
In chapter 3, preliminaries of honeypot such as level of involvement is
discussed these will as benchmark of our further study in latter chapters.
In chapter 4, we focus our attention on different Honeypot topologies and
honeynets. In this chapter we discuss the placement of Honeypot in a network as
well as a special more complex version of honeypots- a so called honeynet.
In chapter 5 our secondary attention on the honeynet.Here we will discuss
honeynet, value of honeynet how it works and different information gathering
methods.
Chapter 6 highlights care, feeding and risk in Honeypot as well as in
honeynet.
Finally, I summarized the report in chapter 7, in which the summary of the
report is given.
Chapter 2
Overview of Honeypot
A honeypot is any system designed for the sole purpose of being exploited. This
is a broad definition that can be implemented in many ways. Some honeypot
systems use software, some use actual production machines, and some even use
virtual machines such as with VMware. Whichever honeypot design method is
chosen, the underlying goal is to create a system that appears to be vulnerable.
What makes a honeypot different from other vulnerable computer systems is
its extensive logging capability. The systems most often include at least four
layers of logging to capture attacker activity. Every file accessed, every
connection made, every keystroke an attacker makes on a honeypot is logged to a
secure location.
2.1
Overview
This chapter is organized as follows. In section 2.2 how the Honeypot is
organized & defined, the uses of Honeypot and what is Honeypot is discussed in
brief. Later in section 2.3 the value of Honeypot is discussed, so what can
Honeypot provide, what can it be used for? Each available honeypot has different
strengths. The comparison of Honeypot is there in section 2.4 here short overview
of the available Honeypots.
2.2 Honeypot Definition
Honeypots are an exciting new technology. They allow us to turn the tables on the
bad guys, we can take the initiative. In the past several years there has been
growing interest in exactly what this technology is and how it works. The purpose
of this paper is to introduce you to honeypots and demonstrate their capabilities.
We will begin by discussing what a honeypot is and how it works
The buzz word “Honeypot” is spooking around. Different vendors claim that
they offer honeypot products, people are arguing about honeypots without having
a clear image of what a honeypot is. To clarify this issue, a definition of what is
meant when talking about honeypots is provided.
L. Spitzner1 defines the term honeypot as follows:
A honeypot is a resource whose value is being
in attacked or compromised. This means, that a
honeypot is expected to get probed, attacked and
potentially exploited. Honeypots do not fix anything.
They provide us with additional, valuable
information.
In this chapter, a slightly different definition is proposed:
A honeypot is a resource which pretends to be
a real target. A honeypot is expected to be attacked
or compromised. The main goals are the
distraction of an attacker and the gain of information
about an attack and the attacker.
Honeypots do not help directly in increasing a computer network’s security.
On the contrary, they do attract intruders and can therefore attract some interest
from the Blackhat community on the network where the honeypot is located.
2.2
Strengths of Honeypot
Now that we have understanding of two general categories of honeypots, we can
focus on their value. Specifically, how we can use honeypots.
The two general categories in which honeypots can be used are production
purposes or research.
 When used for production purposes, honeypots are protecting an
organization. This would include preventing, detecting, or helping
organizations respond to an attack.
 When used for research purposes, honeypots are being used to collect
information.
This information has different value to different organizations. Some may
want to be studying trends in attacker activity, while others are interested in early
warning and prediction, or law enforcement. In general, low-interaction
honeypots are often used for production purposes, while high-interaction
honeypots are used for research purposes. However, either type of honeypot can
be used for either purpose. When used for production purposes, honeypots can
protect organizations in one of three ways; prevention, detection, and response.
We will take a more in-depth look at how a honeypot can work in all three.
A honeypot is a resource, which is intended to get compromised. Every
traffic from and to a honeypot is suspicious because no productive systems are
located on this resource. In general, every traffic from and to a Honeypot is
unauthorized activity. All data collected by a honeypot is therefore interesting
data. A honeypot will in general not produce an awful lot of logs because no
productive systems are running on that machine which makes analyzing this data
much easier. Data collected by a honeypot is of high value and can lead to a better
Understanding and knowledge, which in turn can help to increase overall network
security. One can also argue hat a honeypot can be used for prevention
because it can deter attackers from attacking other systems by occupying
them long enough and bind their resources. Against most attacks
nowadays (which are based on automated scripts) a honeypot does not
help deceiving individuals, as there are no persons to deceive.
2.3
Value Of Honeypot
Now that we have understanding of two general categories of honepyots, we can
focus on their value. Specifically, how we can use honeypots. Once again, we
have two general categories; honeypots can be used for production purposes or
research. When used for production purposes, honeypots are protecting an
organization. This would include preventing, detecting, or helping organizations
respond to an attack. When used for research purposes, honeypots are being used
to collect information. This information has different value to different
organizations. Some may want to be studying trends in attacker activity, while
others are interested in early warning and prediction, or law enforcement. In
general, low-interaction honeypots are often used for production purposes, while
high-interaction honeypots are used for research purposes. However, either type
of honeypot can be used for either purpose. When used for production purposes,
honeypots can protect organizations in one of three ways; prevention, detection,
and response.
Up to this point we have been talking about how honeypots can be used to
protect an organization. We will now talk about a different use for honeypots,
research. Honeypots are extremely powerful, not only can they be used to protect
your organization, but they can be used to gain extensive information on threats,
information few other technologies are capable of gathering. One of the greatest
problems security professionals face is a lack of information or intelligence on
cyber threats. How can we defend against an enemy when we don't even know
who that enemy is? For centuries military organizations have depended on
information to better understand who their enemy is and how to defend against
them. Why should information security be any different? Research honeypots
address this by collecting information on threats. This information can then be
used for a variety of purposes, including trend analysis, identifying new tools or
methods, identifying attackers and their communities, early warning and
prediction, or motivations. One of the most well known examples of using
honeypots for research is the work done by the Honeynet Project, an all volunteer,
non-profit security research organization. All of the data they collect is with
Honeynet distributed around the world. As threats are constantly changing, this
information is proving more and more critical.
2.4
Comparison of Available Honeypots
This section provides a short overview of the available products of honeypots
Table 1 shows an aggregation of the most important factors.
Table 1: Honeypot Comparison Table
Each available honeypot has different strengths. Specter is easy to install and
even easier to run due to the nice graphical user interface. Unfortunately, its value
is not very high, as no real operating system is provided. But this fact does also
help in reducing the risk significantly.
Chapter 3
Concepts of Honeypot
Honeypots come in many shapes and sizes, making them difficult to get a grasp
of. To help us better understand honeypots and all the different types, we break
them down into two general categories, low-interaction and high-interaction
honeypots. These categories help us understand what type of honeypot you are
dealing with, its strengths, and weaknesses. Interaction defines the level of
activity a honeypot allows an attacker. the emulated services mitigate risk by
containing the attacker's activity, the attacker never has access to an operating
system to attack or harm others.
3.1 Level of Involvement
One characteristic of a honeypot is its level of involvement. The level of
involvement does measure the degree an attacker can interact with the
operating system.
3.1.1 Low-Involvement Honeypot
A low-involvement honeypot typically only provides certain fake services.
A low-involvement honeypot does reduce risk to a minimum through minimizing
interaction with the attacker.
On a low-involvement honeypot there is no real operating system that an
attacker can operate on. This will minimize the risk significantly because the
complexity of an operating system is eliminated. On the other hand, this is also a
disadvantage. It is not possible to watch an attacker interacting with the operating
system, which could be really interesting. A low-involvement Honeypot is like a
one-way connection. We only listen, but we do not ask questions ourselves. The
role of this approach is very passive.
Figure 1: Low-involvement honeypot: A low involvement honeypot does reduce risk to a
minimum through minimizing interaction with the attacker
A low-involvement honeypot can be compared to an passive IDS5, as both
do not alter any traffic or interact with the attacker or the traffic flow. They are
used to generate logs and alerts if incoming packets match certain patterns.
3.1.2 Mid-Involvement Honeypot
A mid-involvement honeypot provides more to interact with, but still does
not provide a real underlaying operating system. The fake daemons are
more sophisticated and have deeper knowledge about the specific
services they provide. At the same moment, the risk increases.The
probability that the attacker can find a security hole or vulnerability is
getting bigger because the complexity of the honeypot increases. A
compromise of this system is still unlikely and certainly no goal as there
are no security boundaries and logging mechanisms which are built for
this kind of events.
Figure 2: Mid-involvement honeypot: A midinvolvement honeypot does interact with the
attacker in a minimal way
Through the higher level of interaction, more complex attacks are possible
and can therefore be logged and analyzed. The attacker gets a better illusion of a
real operating system. He has more possibilities to interact and probe the system.
Developing a mid-involvement honeypot is complex and time consuming.
Special care has to be taken for security checks as all developed fake daemons
need to be as secure as possible. The developed versions should not suffer
the same security holes as their real counterparts because this is the main
reason to substitute these with fake variants. The knowledge for
developing such a system is very high as each protocol and service has to
be understood in detail.
3.1.3 High-Involvement Honeypot
A high-involvement honeypot has a real underlaying operating system.
This leads to a much higher risk as the complexity increases rapidly. At
the same time, the possibilities to gather information, the possible attacks
as well as the attractiveness increase a lot. One goal of a hacker is to gain
root and to have access to a machine, which is connected to the Internet 24/7. A
high involvement honeypot does offer such an environment. As soon as a hacker
has gained access, his real work and therefore the interesting part begins.
Unfortunately the attacker has to compromise the system to get this level of
freedom. He will then have root rights on the system and can do everything at any
moment on the compromised system. As per se, this system is no longer secure.
Even the whole machine can not be considered as secure. This does not matter if
he is in a jail, a sandbox or a VMWare6 box because there could be ways to get
out of these software boundaries.
Figure 3: High-involvement honeypot: A high involvement honeypot has great risk as the
attacker can compromise the system and use all its resources.
A high-involvement honeypot is very time consuming. The system
should be constantly under surveillance. A honeypot which is not under
control is not of much help and can even become a danger or security
hole itself. It is very important to limit a honeypot’s access to the local
intranet, as the honeypot can be used by the blackhats as if it was a real
compromised system. Limiting outbound
traffic is also an important point to consider, as the danger once a system
is fully compromised can be reduced.
By providing a full operating system to the attacker, he has the
possibilities to upload and install new files.This is where a highinvolvement honeypot can show its strength, as all actions can be
recorded and analyzed. Gathering new information about the blackhat
community is one main goal of a high-involvement honeypot and
legitimates the higher risk.
Chapter 4
Placement of Honeypot
This chapter will discuss the placement of honeypots in a network as well
as a special, more complex version of honeypots - a so called honeynet.
4.1 Honeypot Location
A honeypot does not need a certain surrounding environment, as it is a
standard server with no special needs. A honeypot can be placed
anywhere a server could be placed. But certainly, some places are better
for certain approaches as others.
A honeypot can be used on the Internet as well as the intranet, based on
the needed service. Placing a honeypot on the intranet can be useful if the
detection of some bad guys inside a private network is wished. It is
especially important to set the internal thrust for a honeypot as low as
possible as this system could be compromised, probably without
immediate knowledge. If the main concern is the Internet, a honeypot can
be placed at two locations:
² In front of the firewall (Internet)
² DMZ7
² Behind the firewall (intranet)
Each approach has its advantages as well as disadvantages.
Sometimes it is even impossible to choose freely as placing a server in
front of a firewall is simply not possible or not wished.
Figure 4: Placement of a honeypot
By placing the honeypot in front of a firewall (see figure 4 honeypot (1)), the
risk for the internal network does not increase. The danger of having a
compromised system behind the firewall is eliminated.
A honeypot will attract and generate a lot of unwished traffic like portscans
or attack patterns. By placing a honeypot outside the firewall, such events do not
get logged by the firewall and an internal IDS system will not generate alerts.
Otherwise, a lot of alerts would be generated on the firewall or IDS.
Probably the biggest advantage is that the firewall or IDS, as well as any
other resources, have not to be adjusted as the honeypot is outside the firewall and
viewed as any other machine on the external network. Running a honeypot does
therefore not increase the dangers for the internal network nor does it introduce
new risks.
The disadvantage of placing a honeypot in front of the firewall is that
internal attackers can not be located or trapped that easy, especially if the firewall
limits outbound traffic and therefore limits the traffic to the honeypot. Placing a
honeypot inside a DMZ (figure 4 honeypot(2)) seems a good solution as long as
the other systems inside the DMZ can be secured against the honeypot.Most
DMZs are not fully accessible as only needed services are allowed to pass the
firewall. In such a case, placing the honeypot in front of the firewall should be
favored as opening all corresponding ports on the firewall is too time consuming
and risky.
A honeypot behind a firewall (figure 4 honeypot (3))can introduce new
security risks to the internal network,especially if the internal network is not
secured against the honeypot through additional firewalls. This could be a special
problem if the IPs are used for authentication.It is important to distinguish
between a setup where the firewall enables access to the honeypot or where
access from the Internet is denied. A honeypot does often provide a lot of
services. Probably most of them are not used as exported services to the Internet
and are therefore not forwarded to the honeypot by the firewall. By placing the
honeypot behind a firewall, it is inevitable to adjust the firewall rules if access
from the Internet should be permitted. The biggest problem arises as soon as the
internal honeypot is compromised by an external attacker. He gains the possibility
to access the internal network through the honeypot. This traffic will be
unstopped by the firewall as it is regarded as traffic to the honeypot only, which
in turn is granted. Securing an internal honeypot is therefore mandatory,
especially if it is a high-involvement honeypot. With an internal honeypot it is
also possible to detect a misconfigured firewall, which forwards unwanted traffic
from the Internet to the internal network. The main reason for placing a honeypot
behind a firewall could be to detect internal attackers.
The best solution would be to run a honeypot in its own DMZ, therefore with
a preliminary firewall. The firewall could be connected directly to the internet or
intranet, depending on the goal. This attempt enables tight control as well as a
flexible environment with maximal security.
4.2.2 Honeynets
A honeypot is physically a single machine, probably running multiple virtual
operating systems. Controlling outbound traffic is often not possible, as the traffic
goes directly onto the network. In this case the only possibility to limit outbound
traffic is to use a preliminary firewall.Such a more complex environment is often
referenced as honeynet. A typical honeynet consists of multiple honeypots and a
firewall (or firewalled-bridge) to limit and log network traffic. An IDS is often
used to watch for potential attacks and decode and store network traffic on the
preliminary system.
By placing a firewall in front of a honeypot (or multiple honeypots) the risk
based on the honeypot can be reduced. It is possible to control the network flow,
the inbound as well as the outbound connections. Logging of network traffic is
much easier as this can be done on one centralized location for all honeypots. The
captured data does not have to be placed on the honeypot itself and the risk of
detecting this data by an attacker is eliminated.
Figure 5: Different honeypot topologies: Simple honeypot, honeynet and a virtual honeynet
By introducing new machines to the honeypot itself, more hardware is
required. A solution with only one machine is thinkable. By using VMWare,
setting up multiple virtual systems on one physical machine is possible.Through
this attempt, it is even possible to place the firewall on the same machine as all
virtual honeypots however the security of this solution isn’t as good as having
different physical machines. As soon as the honeynet is a virtual environment, the
system could be compromised and the attacker could be able to break out of the
virtual machines. Placing a bridge with firewall capabilities in front of a honeypot
is much safer as the attacker can not see the bridge. Even attacking the bridge is
not possible as the bridge has no IP address and therefore no attack point exists.
Introducing additional hardware also raises the complexity of the
environment. Understanding networking and associated tools is important as long
as the best security has to be provided.
Chapter 5
Honeynet
A Honeynet is nothing more then one type of honeypot. Specifically, it is a high
interaction honeypot designed primarily for research, to gather information on the
enemy. Most traditional honeypots have been for deception or detecting attacks.
They are usually single systems that emulate other systems, emulate known
services or vulnerabilities, or create jailed environments.
5.1 What is Honeynet?
A Honeynet is different from traditional honeypots, it is what we would
categorize as a research honeypot. This does not make it a better solution then
traditional honeypots, merely it has a different purpose. Instead of its value being
detecting or deceiving attackers, its value is gaining information on threats. The
two biggest design differences from a traditional honeypots are:
It is not a single system but a network of multiple systems and applications,
which are probed and attacked by blackhats. Honeynets can utilize multiple
systems at the same time, such as Solaris, Linux, Windows NT, Cisco router,
Alteon switch, etc. This creates a network environment that more realistically
mirrors a production network. Also, by having different systems with different
applications, such as a Linux DNS server, a Windows IIS webserver, and a
Solaris Database server, we can learn about different tools and tactics. Perhaps
certain blackhats target specific systems, applications, or vulnerabilities. By
having a variety of operating systems and applications, we are able to more
accurately profile specific blackhat trends and signatures.
All systems placed within the Honeynet are standard production systems.
These are real systems and applications, the same you find on the Internet.
Nothing is emulated nor is anything done to make the systems less secure. The
risks and vulnerabilities discovered within a Honeynet are the same that exist in
many organizations today. One can simply take a system from a production
environment and place it within the Honeynet.
It is these two design differences that make a Honeynet primarily a tool for
research. It can be used as a traditional honeypot, such as detecting unauthorized
activity, however a Honeynet requires a great deal more work, risk and
administration. Its simply not worth all the effort of building and maintaining a
Honeynet just to detect attacks.
5.2 Value of Honeynet
Traditionally, information security has been purely defensive. Firewalls, Intrusion
Detection Systems, encryption; all of these mechanisms are used defensively to
protect one's resources. The strategy is to defend one's organization as best as
possible, detect any failures in the defense, and then react to those failures. The
problem with this approach is it purely defensive, the enemy is on the attack.
Honeynets attempt to change that. The primary purpose of a Honeynet is to gather
information about threats that exist. New tools can be discovered, attack patterns
can be determined, and attacker motives studied. This information that can be
used to protect against threats.
Honeynets are nothing more then a tool, and as such can be used for other
purposes. One example, organizations can use Honeynets to test and develop their
Incident Response capabilities. The advantage one has in analyzing these
compromised systems is you already have most of the answers. You can then
treat a compromised system as a 'challenge', where you test your abilities to
determine what happened using various forensic techniques. You can then
compare these results to the data captured from within the Honeynet. Examples of
this are the numerous challenges sponsored by the Project. Honeynets are merely
a tool, they provide value in however you choose to use them. However, their
primary purpose and design is based on researching threats.
5.3 How it Works
Conceptually, Honeynets are a simple mechanism. You create a network
similar to a fishbowl, where you can see everything that happens inside it. Just
like the fish, you can watch the hackers interact in your virtual environment. Also
just like a fishbowl, you can put almost anything in there you want. This
controlled network becomes your Honeynet. The captured activity teaches you
the tools, tactics, and motives of the blackhat community. Traditionally, the
greatest problem security professionals face in detecting and capturing blackhat
activity is information overload. The challenge for most organizations is
determining from vast amounts of information what is production traffic and what
is malicious activity. Tools and techniques such as Intrusion Detection Systems,
host based forensics, or system log analysis attempt to solve this by using a
database of known signatures or algorithms to determine what is production
traffic and what is malicious activity. However, information overload, data
pollution, unknown activity, false positives and false negatives can make
analyzing and determining activity extremely difficult.
Like all honeypots, the Honeynet solves this problem of data overload through
simplicity. A Honeynet is a network designed to be compromised, not to be used
for production traffic. Any traffic entering or leaving the network is suspicious by
definition. Any connection initiated from outside the Honeynet into the network
is most likely some type of probe, attack, or other malicious activity. Any
connection initiated from the Honeynet to an outside network indicates that a
system was compromised. An attacker has initiated a connection from his newly
hacked computer and is now going out to the Internet. This concept of no
production
5.4 Requirements
To successfully build your Honeynet, there are two critical requirements;
Data Control and Data Capture. If there is a failure in either requirement, then
there is a failure within the Honeynet. Honeynets can built and deployed a variety
of different ways, almost no two Honeynets look the same. But they must all meet
the requirements of Data Control and Data Capture.
5.4.1 Data Control
Data Control is the containment of activity. When we are dealing with
blackhats there is always risk, we must mitigate that risk. We want to ensure that
once compromised, a honeypot cannot be used to harm any non-Honeynet
system. However, the challenge is to control the data flow without the blackhat's
getting suspicious. Once a system is compromised, blackhats will often require
Internet connectivity, such as retrieving toolkits, setting up IRC connections, or
sending email. We have to give them the flexibility to execute these actions, as
these are the very steps we want to learn and analyze. Also, blackhats may
become highly suspicious if they cannot initiate any outbound connections. We
made that very same mistake with our first Honeynet. We did not allow any
outbound Internet connections. It took the blackhat only fifteen minutes to figure
out something was wrong, wipe the system drive, and leave the network. So, the
trick is to give the blackhat flexibility to execute whatever they need, but without
allowing them to use the compromised system to attacks others, such as Denial of
Service attacks, system scans, and exploits. In general, the more you allow a
blackhat to do outbound, the more you can learn, but the greater the risk.
5.4.2 Data Capture
Data Capture is the capturing of all of the blackhat's activities. It is these
activities that are then analyzed to learn the tools, tactics, and motives of the
blackhat community. The challenge is to capture as much data as possible,
without the blackhat knowing their every action is captured. This is done with as
few modifications as possible, if any, to the honeypots. Also, data captured
cannot be stored on locally on the honeypot. Information stored locally can
potentially be detected by the blackhat, alerting them the system is a Honeynet.
The stored data can also be lost or destroyed. Not only do we have to capture the
blackhats every move without them knowing, but we have to store the
information remotely. The key to this is capturing data in layers. You cannot
depend on a single layer for information. You gather data from a variety of
resources. Combined, these layers then allow you to paint the big picture.
5.4.3 Data Collection
There is a third requirement, Data Collection, but this is only for organizations
that have multiple Honeynets in distributed environments. Many organizations
will have only one single Honeynet, so all they need to do is both Control and
Capture data. However, organizations that have multiple Honeynets logically or
physically distributed around the world, such as the Honeynet Research Alliance
have to collect all of the captured data and store it in a central location. This way
the captured data can be combined, exponentially increasing its value.
Chapter 6
CARE, FEEDING AND RISK
Honeynets are not a "fire and forget" solution. They are a complex type of
honeypot that requires constant maintenance, administration and vigilance. For
maximum effectiveness, you need to detect and react to incidents as soon as
possible. By watching the blackhat activities in real time, you can maximize your
data capture and analysis capabilities. Also, to detect the unknown, you are
required to constantly review suspicious activity. This requires extensive time and
analysis capabilities. For example, in just 30 minutes a blackhat do enough
damage to a compromised honeypot to require 30-40 hours to fully understand
what happened. Constant maintenance is also required to ensure operability of
your Honeynet. If something goes wrong (and something always does) this can
cause a failure within the Honeynet Your alert processes may die, disks can fill,
IDS signatures become out of date, configuration files become corrupted, system
logs need to be reviewed, firewalls need to be updated and patched. These
represent just some of the constant care and feeding that is required for a
successful Honeynet. Your work has only begun when you implement a
Honeynet.
Also, there are risks involved with building and implementing a Honeynet.
We have blackhats attacking and compromising our systems. By setting up a
network to be compromised, we expose ourselves, and others, to risk. You
assume a responsibility to ensure that the Honeynet, once compromised, cannot
be used to attack or harm other systems. However, with an environment like this,
there is always the potential for something to go wrong. We have implemented a
variety of measures to mitigate this risk. However, it is quite possible for a
blackhat to develop a method or tool that allows them to bypass our access
control methods. Also, one need to be constantly testing and updating the
environment to ensure control measures are working effectively. Never
underestimate the creative power of the blackhat community. The use of a
firewall, routers, and other techniques helps mitigate the risk of the Honeynet
being used to damage other systems. However, there is still risk.
Last, Honeynets will not solve your security problems. We highly
recommend that organizations focus on best practices first, such as strong
authentication, use of encrypted protocols, reviewing system logs, and secure
system builds. By prioritizing on proper policies and procedures, organizations
can greatly reduce risk. Honeynets do not reduce risk, they most likely increase it.
If your organization is interested in the detection or deception capabilities of
honeypots. Honeynets are a honeypot designed primarily for research, to gather
information on the enemy. They will not fix your unsecured server, nor fix bad
process or procedures.
Chapter 7
CONCLUSION
Honeypots are a new field in the sector of network security. Currently there is a
lot of ongoing research and discussions all around the world. rule configuration.
A honeypot is a valuable resource, especially to collect information about
proceedings of attackers as well as their deployed tools. No other mechanism is
comparable in the effeciency of a honeypot if gathering information is a primary
goal, especially if the tools an attacker uses are of interest. But nevertheless,
honeypots can not be considered as a standard product with a fixed place in every
security aware environment as firewalls or intrusion detection systems are today.
Installing and running a honeypot is not just a matter of ”buy and go”. The
involved risk and need for tight supervision as well as time intensive analysis
makes them difficult to use. Honeypots are in their’s infancy and new ideas and
technologies will surface in the next time. At the same time as honeypots are
getting more advanced, hackers will also develop methods to detect such systems.
A regular arms race could start between the good guys and the blackhat
community.
Bibliography
[1] Reto Baumann, Christian Plattner, “White Paper: Honeypots “ , 2002.
[2] Brian Scottberg , William Yurcik , David Doss ,” Internet Honeypots:
Protection or Entrapment?”, 2002
[3] http://project.honeynet.org/misc/project.html
[4] Jonathan Werrett “Research Proposal “, 2003