26-02-2011, 03:29 PM
honeypots.ppt (Size: 4.52 MB / Downloads: 426)
HoneyPots
• The Internet security is hard
– New attacks every day
– Our computers are static targets
• What should we do?
• The more you know about your enemy, the better you can protect yourself
• Fake target?
• Fake Target
• Collect Infomation
History of Honeypots
• 1990/1991 The Cuckoo’s Egg and Evening with Berferd
• 1997 - Deception Toolkit
• 1998 - CyberCop Sting
• 1998 - NetFacade (and Snort)
• 1998 - BackOfficer Friendly
• 1999 - Formation of the Honeynet Project
• 2001 - Worms captured
Definition
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
• Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise
• Used for monitoring, detecting and analyzing attacks
• Does not solve a specific problem. Instead, they are a highly flexible tool with different applications to security.
Classification
• By level of interaction
• High
• Low
• Middle?
• By Implementation
• Virtual
• Physical
• By purpose
• Production
• Research
Level of Interaction
• Low Interaction
• Simulates some aspects of the system
• Easy to deploy, minimal risk
• Limited Information
• Honeyd
• High Interaction
• Simulates all aspects of the OS: real systems
• Can be compromised completely, higher risk
• More Information
• Honeynet
Physical V.S. Virtual Honeypots
• Two types
– Physical
• Real machines
• Own IP Addresses
• Often high-interactive
– Virtual
• Simulated by other machines that:
– Respond to the traffic sent to the honeypots
– May simulate a lot of (different) virtual honeypots at the same time
Production HPs: Protect the systems
• Prevention
• Keeping the bad guys out
• not effective prevention mechanisms.
• Deception, Deterence, Decoys do NOT work against automated attacks: worms, auto-rooters, mass-rooters
• Detection
• Detecting the burglar when he breaks in.
• Great work
• Response
• Can easily be pulled offline
• Little to no data pollution