View
215
Download
0
Category
Tags:
Preview:
Citation preview
Honeypots and Honeynets
Alex Dietz
Purpose
• To discover methods used to breach a system• To discover new root kits• To learn what changes are made to a system
and their effects• To not be discovered• To discourage an attack
Production honeypot vs Research honeypot
• Production honey pots are easy to use and capture only limited amount of information
• Research honeypots are complex and expensive to maintain
Honeypots vs Honeynets
• Honeypots are usually a complete system or virtual machine and are low-interaction.
• Honeynets are second generation honeypots and are very high-interaction
Both must provide
• Data capture• Data control• Data analysis
Data capture and Staying undetected
• Log information to a remote server• Use software to detect changes to files• Use a rootkit to hide all logging services– Implements its own TCP/IP stack to prevent
logging traffic from being detected
Data control
• Try to prevent outgoing malicious traffic– Use a honey wall
Traditionally a layer 2 bridging device thathas no IP stack, meaning the device should be invisible to anyone interacting with the honeypots or honeynets.
img: http://honeynet.org/papers/honeynet/
Data analysis
• Typically done by people viewing logs– Realtime– Logs
Img: Kent State University
Legality and Liability
• The operator can be held accountable if the honeypot is compromised and used to launch additional attacks.
-Varies state by state• Can violate the Federal Wiretap Act
-Under most situations they are exemptEx. Attacker sets up an IRC server and users connect without knowing the system has been compromised
Honeypots and honeynets are flexible
• Using virtual machines honeypots and honeynets can be set up with many different configurations– Using a virtual machine lowers its security
img: google.com/support
• Can also connect to webservers to determine their malicious nature– Most search engines do this as they crawl
webpages
Summery
• Honeypots are a great detection mechanism• Honeynets are an excellent research tool• Can be configured to fit any need or cost• Poorly controlled honeypots and honeynets
can get you in trouble
SoftwareOpen source Commercial
HoneyDwww.honeyd.org
Symantec Decoy Serverenterprisesecurity.symantec.com/products/products.cfm?ProductID=157
LaBrea TarpitLabrea.sf.net
Specterwww.specter.com
SebekProject.honeynet.org/tools/sebek
? ?
?
Recommended