21-07-2011, 12:04 PM
honeypots.pdf (Size: 200.21 KB / Downloads: 111)
Due to emerge of the Internet and everyone are link together by network. The security
and privacy of each local network or each user become more and more important issue. There
are many technologies that provide this kind of abilities such as Intrusion detection system,
Firewall and other security measures. But all these tools often give us too many information
that need us to dig the useful information from a few gigabytes data a day.
Honeypots come in to help us in three ways that is prevention, detection and how we react to an
attack. There are two general types of honeypots which is Low interaction honeypots such as
Honeyd, Specter and KFSensor. The highly interactive honeypots is like Honeynet. Honeypots
basically sit on an unused IP where any attempt connection to that IP will consider as an authorized
and malicious attack. This will help to reduce the size of the information logged and the security
professional can easily detect an intrusion and can response to it more effectively and fast.
The most critical part of a dynamic honeypot is how the Dynamic Honeypots learns about our
network, what systems our organization using and how these systems are being used. With this
knowledge, the dynamic honeypot can intelligently map and respond to our environment. One
possible approach is to actively probe the organization network, determine what systems are live,
types of systems they are, and what kind of services they are using. We would constantly need to
scan our environment to get the latest update of the system. That’s why it’s not a very elegant
approach .
Another approach is passive fingerprinting which also takes the same approach; it has a database of
known signatures for specific systems. However, the data is taken passively. Instead of actively
probing the remote systems, the passive fmgerprinting sniff traffic from the network and analyzes
the packets from that network. It is passively gathering data rather than actively interacting with
systems. This will reduce the network bandwidth and network traffic or damaging or taking down a
system or service in the network. This method is continuous -- as organization networks changes,
these changes can be captured in real time and this becomes critical for maintaining realistic
honeypots over the long term. But we do have some disadvantage of passive mapping, it may not
work well across routed networks; it’s more effective on organization local LAN. In some cases,
more then just one dynamic honeypot would have to be physically deployed in the organization,
depending on the organization size, number of networks, and configuration.
The dynamic honeypot could leverage this concept of passive fingerprinting to learn our networks.
The honeypot could be deployed as an appliance or single box. This device is then physically
connected to your network. Once connected, it spends the somc time watching and learning the
organi~ation network. By passively analyzing all of the trafic it sees, it will then determine how
many systems are on your networks, what are the operating system types, the kind of the services
they offer, and potentially even which systems are communicating with whom and how often is it.
All these information is then used to learn and map the organization network. Once the honeypot
learns the environment, it can begin deploying more honeypots. The strong point of the Dynamics
Honeypots here is that the honeypots are crafted to mirror your environment.