08-08-2012, 03:40 PM
Honeypots for network security
[attachment=30622]
WHAT IS A HONEYPOT?
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
More generally a honeypot is a trap set to deflect or detect attempts at unauthorized use of information systems.
Used for monitoring, detecting and analyzing attacks
Does not solve a specific problem. Instead, they are a highly flexible tool with different applications to security.
History of Honeypots
1990/1991 The Cuckoo’s Egg and Evening with Berferd
1997 - Deception Toolkit
1998 - CyberCop Sting
1998 - NetFacade (and Snort)
1998 - BackOfficer Friendly
1999 - Formation of the Honeynet Project
2001 - Worms captured
HONEYNET
Two or more honeypots on a network form a honeynet.
Used for monitoring and/or more diverse network in which one honeypot may not be sufficient
Honeynets (and honeypots) are usually implemented as parts of larger network intrusion-detection systems.
Their primary value lies in research, gaining information on threats
Classification
By level of interaction
High
Low
Middle
By Implementation
Virtual
Physical
By purpose
Production
Research
TYPES OF HONEYPOTS:
Honeypots came in two flavors:
On the basis of interaction
Low-interaction
High-interaction.
Level of Interaction
Low Interaction
Also known as GEN-I honeypot.
Beginner level attacks.
Simulates some aspects of the system
Easy to deploy, minimal risk
Limited Information
Honeyd:
It’s a GEN-I honeypot which emulates services and their responses for typical network functions from a single machine.
making the intruder believe that there are numerous different operating systems
High Level Interaction:
A high-interaction honeypot consists of : resource of interest, data control, data capture and external logs.
More complex to deploy and maintain in comparison to low-interaction honeypots.
Very useful in their ability to identify vulnerable services and applications for a particular target operating system
Physical V.S. Virtual Honeypots
Physical
Real machines
Own IP Addresses
Often high-interactive
Virtual
Simulated by other machines that:
Respond to the traffic sent to the honeypots
May simulate a lot of (different) virtual honeypots at the same time
Production HPs: Protect the systems
Prevention
Keeping the bad guys out
not effective prevention mechanisms.
Deception, Deterence, Decoys do NOT work against automated attacks: worms, auto-rooters, mass-rooters
Detection
Detecting the burglar when he breaks in.
Great work
Response
Can easily be pulled offline
Little to no data pollution
Research HPs: gathering information
Collect compact amounts of high value information
Discover new Tools and Tactics
Understand Motives, Behavior, and Organization
Develop Analysis and Forensic Skills
HONEYNET
Building A HoneyPot
To build a honeypot, a set of Virtual Machines are created.
They are then setup on a private network with the host operating system
To facilitate data control, a stateful firewall such as IP Tables can be used to log connections
The final step is data capture, for which tools such as Sebek and Term Log can be used.
Analysis on the data can be performed using tools such as Honey Inspector, PrivMsg and SleuthKit.
[attachment=30622]
WHAT IS A HONEYPOT?
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
More generally a honeypot is a trap set to deflect or detect attempts at unauthorized use of information systems.
Used for monitoring, detecting and analyzing attacks
Does not solve a specific problem. Instead, they are a highly flexible tool with different applications to security.
History of Honeypots
1990/1991 The Cuckoo’s Egg and Evening with Berferd
1997 - Deception Toolkit
1998 - CyberCop Sting
1998 - NetFacade (and Snort)
1998 - BackOfficer Friendly
1999 - Formation of the Honeynet Project
2001 - Worms captured
HONEYNET
Two or more honeypots on a network form a honeynet.
Used for monitoring and/or more diverse network in which one honeypot may not be sufficient
Honeynets (and honeypots) are usually implemented as parts of larger network intrusion-detection systems.
Their primary value lies in research, gaining information on threats
Classification
By level of interaction
High
Low
Middle
By Implementation
Virtual
Physical
By purpose
Production
Research
TYPES OF HONEYPOTS:
Honeypots came in two flavors:
On the basis of interaction
Low-interaction
High-interaction.
Level of Interaction
Low Interaction
Also known as GEN-I honeypot.
Beginner level attacks.
Simulates some aspects of the system
Easy to deploy, minimal risk
Limited Information
Honeyd:
It’s a GEN-I honeypot which emulates services and their responses for typical network functions from a single machine.
making the intruder believe that there are numerous different operating systems
High Level Interaction:
A high-interaction honeypot consists of : resource of interest, data control, data capture and external logs.
More complex to deploy and maintain in comparison to low-interaction honeypots.
Very useful in their ability to identify vulnerable services and applications for a particular target operating system
Physical V.S. Virtual Honeypots
Physical
Real machines
Own IP Addresses
Often high-interactive
Virtual
Simulated by other machines that:
Respond to the traffic sent to the honeypots
May simulate a lot of (different) virtual honeypots at the same time
Production HPs: Protect the systems
Prevention
Keeping the bad guys out
not effective prevention mechanisms.
Deception, Deterence, Decoys do NOT work against automated attacks: worms, auto-rooters, mass-rooters
Detection
Detecting the burglar when he breaks in.
Great work
Response
Can easily be pulled offline
Little to no data pollution
Research HPs: gathering information
Collect compact amounts of high value information
Discover new Tools and Tactics
Understand Motives, Behavior, and Organization
Develop Analysis and Forensic Skills
HONEYNET
Building A HoneyPot
To build a honeypot, a set of Virtual Machines are created.
They are then setup on a private network with the host operating system
To facilitate data control, a stateful firewall such as IP Tables can be used to log connections
The final step is data capture, for which tools such as Sebek and Term Log can be used.
Analysis on the data can be performed using tools such as Honey Inspector, PrivMsg and SleuthKit.