8/3/2019 Honey Nets

1/22

1

Virtual Honeynet

Senior Project

By Daniel Engel

8/3/2019 Honey Nets

2/22

2

Abstract

The intent of this paper is to discuss my research for my senior project. I will cover what a

honeynet is, its advantages and disadvantages, and other areas of research significant to a honeynet.

Unfamiliar terms will be placed in footnotes along with other terms and ideas that need clarification.

The first part of this research paper will cover the background and basic information on honeynets whilethe second part will go into detail about honeynets and the successes and problems I had. Although a

honeypot is a single computer on a honeynet, the terms honeynet and honeypot are sometimes used

interchangeably in articles. I have done my best to differentiate the two terms in this paper.

8/3/2019 Honey Nets

3/22

3

Part I

Introduction to Project

One of my main interests in the field of information technology has become network security

and for that reason I have chosen to focus my senior research on a related topic. Honeynets I felt were a

great topic to study because they implement network security in many different ways. In the first part of

the paper honeynets will be covered to give a basic understand of what constitutes a honeynet.

Offensive Approach to Network Security

Computer network security has always taken on a defensive approach versus an offensive

approach when it comes to keeping out the bad guys. The basic idea has been to put up layers of

barriers and filters on a network to keep out unwanted streams of data. The problem with a defensive

approach is that the enemy always has the initiative. Imagine playing football and always being on the

defense, not much ground is usually won compared to being on the offense. Although, with a fairly new1

technology concept called a honeynet, businesses may take an offensive approach to securing their

networks and potentially locate and eliminate some network risks. Honeynets will be discussed in more

detail later on. Traditional network security methods only provide barriers with the hope that nothing

malicious2 will get through that can cause damage. They are created to be an offensive approach and

gather information on who the attacker is and what they are doing.

Traditional Network Security

The traditional network security methods that have been referred to are Intrusion Detection

Systems (IDS), firewalls, routers, IPTables, and sometimes the network topology3 can be a source of

security. This is clearly not an exhaustive list of security methods. All these methods typically filter

1Honeynets have been around since about 1999 2000.

2Intent to do harm, referring to malicious software or malware.

3The arrangementor mapping of the elements (links, nodes, etc.) of a network. (Wikipedia)

8/3/2019 Honey Nets

4/22

4

network traffic according to predetermined rules set for what type of network traffic can come through

and what cannot. Lets use IDS as an example. IDS systems are known to log gigabytes of information

about network activity that can be nearly impossible to sift through and analyze. They also monitor

system activity and can actually produce an audible alert when something out of the ordinary is

occurring on the network. Although this sounds like a great thing it can actually be an irritant to network

administrators and is usually not very effective. Sometimes these alarms are caused by what is called a

False Positive. A false positive is when an alarm indicates that an attack is in progress when there in

fact is really no such attack. (Whitman, 2005) These can be very frequent, so frequent in fact there are

actually books written about how to reduce IDS false alarms. Because of the frequency of alarms it can

cause desensitization to those that have to respond to these alarms, much like a car alarm going off and

not paying attention to it because it is normal. False positives are native to many traditional security

methods, not just IDS.

The intent is not to imply that these traditional methods are ineffective and useless. On the

contrary, they are very much needed to provide good network security. A properly configured IDS or

network topology can go a long way to aid a honeynet. Honeynets just go one step further by allowing

the identity of intruders to be revealed. Firewall and IDS and other traditional security technologies can

detect, alert, and notify you of security breaches. But without the in-depth data received from

honeynets, the who and why usually go unanswered without an in-depth forensics review" (Higgins,

2007).

What is a Honeynet?

A honeynet is a decoy network that has been created purposely to seem vulnerable to attacks in

order to lure in attackers and gather specific information about them. Like bees to honey. Consider

figure 1 on the next page. The computers labeled Honeypot are the individual computers that make

8/3/2019 Honey Nets

5/22

5

up the honeynet. While the actual network (computers labeled Production) is secure and protected,

the Honeynet is created to seem vulnerable and can sometimes appear to contain valuable data such as

credit card information. These networks are created to make the attacker think they are working with

valid network systems. While attackers are busy doing their malicious activity on the decoy network, the

honeywall gateway is busy collecting data on their every move. How this works is discussed in part two.

The following is a quote about the purpose of honeynets taken from an article written by a

group that heads The Honeynet Project4. The primary purpose of a honeynet is to gather information

on threats. This information has different value to different organizations. For example, academic

research institutions may use honeynets to gather data for research, such as worm activity. Security

organizations may use honeynets to capture and analyze malware for anti-virus, IDS signatures or learn

new ways to counter changing threats. Government organizations may use honeynets to learn more

4A team of 30 network security experts that analyze honeynet data and research how malicious hackers act.

Figure 1

8/3/2019 Honey Nets

6/22

6

about who is targeting them or why. (Project, 2006) Recently with the release of the Conficker virus, a

honeynet was used to contain the worm and study what it did to be able to defend against it. These are

just a few examples of the potential that honeynets have and what they can be used for.

Honeynet vs. Traditional Methods

Now that a honeynet has been explained, I would like to discuss what it can do for a network

that traditional security methods are incapable of doing. First, I would like to reinforce the idea that the

primary use of a honeynet is to gather information on an intruder. Because we want to gather useful

information on an intruder it is important they feel they are not being led into a trap. For this reason,

honeynets can be deployed in such a way to allow an intruder to interact with an actual computer. Being

able to use an actual computer with a real operating system5

(OS) and not just an emulated OS will

create a safe feeling environment for the intruder, allowing him/her to act normally. Emulated software

has the potential to tip off the intruder they are being monitored and can greatly limit what they can do

compared to a real OS.

Where is the value in making the intruder feel safe? The value is seen while they are attacking

the operating system. Special software installed along side of the operating system can record their

every move. For example, there are software programs called key loggers. These key loggers are

capable of recording every stroke of the keyboard the intruder makes. This makes it possible to know

what was being typed and the order in which items were typed to allow analysts the opportunity to

know a sequence of events.

Analyzing the results of data collected from intruders can give security analysts the opportunity

to know how security systems are being breached and therefore create greater security defenses to

prevent further attacks. This method gives up on the idea of sitting back and waiting for the next

5Examples of an OS are Windows XP or Vista, Mac OS X, Solaris and Linux.

8/3/2019 Honey Nets

7/22

7

onslaught of attacks on the network hoping the network is secure. It also provides invaluable

information on who is attacking these systems and why. Once again, the honeynet creates the offensive

approach due to the ability to advance current security techniques and gain an advantage over hackers.

Also, hackers realizing they have discovered a company or organization that uses a honeynet will be less

likely to attack again because they cant be sure which network systems are being monitored and which

are not.

Honeynets Reduce False Positives

As mentioned earlier, false positives can create problems and decrease response time to

possible network threats. A great challenge of most intrusion detection technologies is their frequency

of producing false positives. The larger the probability that a security technology produces a false

positive, the less likely the technology will be useful (Spitzner, 2004). Going back to the car alarm

example we can see what Spitzner meant by this. How often do we walk through a parking lot and hear

a car alarm? Most likely it has happened to us all several times. We typically just ignore the alarm and go

on without giving much thought to it. Security analysts typically run into this challenge which ultimately

creates lower reaction times to these alarms. However, by definition almost any activity with a honeynet

is unauthorized and therefore will greatly reduce the amount of false positives. This is a great example

why honeynets take a greater offensive approach to networking than traditional methods. It shows that

they have greater reliability and functionality.

Adaptability

I think the greatest thing about a honeynet is the adaptability of such a technology. No other

technology is so mobile, adaptive and potentially free from cost. These advantages are good no matter if

you are a large company carrying confidential information or just a small privately owned company. A

8/3/2019 Honey Nets

8/22

8

honeynet can be adapted based on individual needs. They can be created to appear to broadcast a

social security number entered into a database or appear to be a whole network of computers.

Another great advantage of this type of adaptability is the option of being able to create a

honeynet with a single computer or laptop. The use of special software called VMware (Virtual Machine

Software), or something similar, allows multiple operating systems to run on one computer which allows

the option of creating more traps to collect specific data. This type of honeynet is called a virtual

honeynet and can appear to be a whole network of computers. Also, because a laptop is easily moved, it

is possible to configure a customized honeynet and use it on company Xs network, then when your

objective is complete with company X, the laptop can be plugged into company Ys network and begin to

collect data. All it takes to switch is plugging the laptop into a new network. The ease of setup surpasses

all other security options and there is no other security feature in use today with such mobility and ease

of use.

Cost

Not only does the ease of adaptability appeal to many, so does the cost. High cost does not have

to be an issue when deciding to set up a honeynet. If a small company is interested in using a honeynet

but doesnt have a budget for it, an older single Pentium processor6

system would be able to handle a

basic honeynet set up. Meaning, an older less complex computer can be used. This is what gives

honeynets the ability to be used by so many different types of industries and budgets. If you are a large

company looking to create a significant size honeynet, the cost could still be reasonable. This is because

a whole network can be created on a single laptop to have multiple honeypots. Even a large honeynet

6Early computer chips created from 93 99 ranging from 60 to 300 MHz. Todays processors are in the 2 3 GHz range. About 10x faster.

8/3/2019 Honey Nets

9/22

9

can be created with a few laptops, and because there are many open-source7

operating systems, there

is no need to have to pay for multiple operating systems either.

7Code viewable to public for editing and enhancement, free software.

8/3/2019 Honey Nets

10/22

10

Part II

Hopefully at this point there is a good understanding of what a honeynet is and what it is meant

to do. The next several pages will go into more detail about the parts of a honeynet and the different

software that help the honeynet to function to accomplish its one purpose, understand the bad guys.

Types of Honeypots

There are three types of honeypots and/or honeynets, and each has its own strengths and

weaknesses. There is the high interaction, low interaction and virtual honeypot. Each one will be

explained in the following paragraphs.

Virtual Honeypot

A virtual honeynet uses virtualization software, such as VMware, to create a honeynet on a

single computer. There are two types of virtual honeynets that I will briefly describe. One type is a self-

contained honeynet and the other is called a hybrid honeynet. A self-contained honeynet is what I

attempted to create. This type of honeynet is all software, and virtual hardware contained on one

system, such as a laptop. Self-contained honeynets are portable because they can be created on a single

laptop and can be plugged into any network and up and running in a small amount of time. Also, they

can be very cheap, or completely free in my case, to set up and deploy. Another great advantage is the

ability that VMware has to immediately suspend a guest operating system. If, for example, an attacker is

managing to find their way out of the honeypot we want to stop him without losing our collected data.

Rather than losing that valuable data by shutting down the operating system quickly, the system can be

suspended which allows the system to pick up from the last process it was executing when it was

suspended. This will cut the attacker off and allow the collected data to remain safe.

Some disadvantages of my self-contained honeynet are potentially big enough disadvantages to

persuade many not to attempt this type of honeynet. The biggest disadvantage is system resources

8/3/2019 Honey Nets

11/22

11

available on a single laptop. To be able to run multiple operating systems, services, firewalls,

virtualization software and other software requires a powerful system. During my experience, I was

never able to run all five operating systems and my firewall at the same time without my computer

slowing to a crawl. Many times I would only run about 3-4 at a time. I would be okay running multiple

UNIX systems, but I could only run a single Windows system at a time. Another disadvantage is the

potential for a single point of failure, or in other words, since the entire honeynet uses the same

hardware and software, one failure anywhere in hardware or software could bring the entire honeynet

down.

Hybrid honeynets are the same as self-contained with one big difference. That difference is the

firewall is a separate system outside all the virtualization software. This can help them be more secure

since the firewall would not be affected by problems on the honeynet.

Low-Interaction Honeypot

Low interaction honeypots do just as they sound. They provide a low interaction environment

that hackers can interact with. These low interaction honeypots emulate real time services and

operating systems. Typically low interaction honeypots are just software installed on a computer that

can be easily configured through a GUI. One such example is Honeyd. Honeyd allows the user to select

what operating systems and services to emulate by simply clicking a button and the software does the

rest. One advantage of Honeyd is that it has the capability of emulating hundreds of services and

operating systems. It also allows easy configuration of IP addresses to monitor and will even emulate

the IP stack level. The major drawback of low interaction honeypots or Honeyd is that the program just

runs a script that expects specific input and gives a set output. Because the programs expects something

specific, it if receives a command it has not been programmed to recognize, it will send back an error

8/3/2019 Honey Nets

12/22

12

message which is a red flag to the hacker indicating something is not right and potentially reveal they

are in a honeypot environment.

High-Interaction Honeypot

This is the type of honeypot that I attempted to implement for my senior project. Much more

difficult than any research led me to believe. High interaction honeypots are very different than low

interaction honeypots because they provide entirely real operating system environments that hackers

can interact with. There is no software or hardware emulation. They only provide real software and

services for hackers to use at their will. This is important because it provides a greater ability to study a

hacker in a real environment, without limitations on commands and software and they are free to act

as they normally would. Due to the freedom to hack the system freely, it allows for much better data

capture in research honeynets to monitor intruder root kits, keystrokes, commands, passwords and

communications between other systems.

The great thing about a high-interaction honeypot is that because real services and software are

used, new, unexpected and unknown attacks can be captured. This type of freedom to hackers also

introduces a great risk to honeypots and networks that contain them. If proper security is not put into

place the attacker may have be able to break out of the honeypot and into the actual network.

There is a commercial version of a honeypot called Symantec Decoy Server. Although I could not

find it on Symantecs web site, the limited notes I found claimed that it does not emulate any OS or

services and that it only works with Solaris. It apparently uses real time software and services but

instead of having separate machines with this software, it creates four partitions called cages. These

cages are actually honeypots that allow hackers to interact with them just as they would any other

operating system.

8/3/2019 Honey Nets

13/22

13

Although there is not much information to be found on this commercial honeypot product, I

wanted to bring attention to it. It seems this product was on the market in 2003, and then disappeared

soon after that. This may indicate that at one point the idea of honeynets and honeypots as a network

security feature for corporations may have begun to take off, and then quickly died out. In my personal

opinion, I believe this has to do with the significant amount of overhead that can come from having a

highly monitored high interaction honeynet. Plus there is the risk of hackers being able to break into the

real network.

Honeywalls and Bridging

Honeywalls are used as data control elements and are the heart of the honeynet. All good

honeynets will include a honeywall because they provide multiple benefits that will be discussed. A

honeywall acts as a bridge which is a network gateway with three interfaces. They are as follows:

1.) eth0 connects to the internet2.) eth1 connects to the honeynet3.) eth2 allows for management monitoring and secure access to honeynetForwarding of ethernet frames to these interfaces is an OSI layer 2 function called bridging.

Bridge boxes are network devices with at least two interfaces used to connect two separate networks.

Such as LAN 1 and LAN 2. Thus the term bridge is used. The bridge forwards packets from LAN 1 to LAN

2. Because bridges work off of MAC addresses, the spanning tree protocol (STP) must be used on more

complex network topologies. On honeynets this protocol must be avoided at all costs because it can

reveal honeynets. The following is how bridging works and why it can conceal a honeywall and what

makes it an excellent idea for implementation into a honeynet.

8/3/2019 Honey Nets

14/22

14

Steps to Bridging:

1.) Processing starts at layer 1 in the OSI model. NIC card receives a bit stream, whenrecognized as a packet, it is moved to layer 2 to process.

2.) Layer 2. Bridge searches for the proper MAC address in bridging networks memory. If found,the packet is moved to appropriate interface for transmission. If MAC address is not found

then a broadcast is sent out to all interfaces except the one that originally sent packet.

3.) Layer 1. Sees the packet, recognizes the stream of bits and converts them to electricalsignals.

Bridging is transparent to IP processing (OSI layer 3 function). This is why honeywalls are

undetectable. This is because the IP header in the packet is not processed and passes through the

honeywall undetected. Every time a packet goes through an IP processing device the Time To Live (TTL) 8

field of the IP header is reduced by one which makes it possible to know the number of devices between

the source and destination. Absence of the IP stack and IP addresses of interfaces involved makes an

attack very difficult.

Data Control and Capture

Thetwo most important requirements with honeynets are data control and data capture. Most

data capture and data control are configured on the honeywall or firewall. This makes configuring both

data control and data capture easier. First and foremost, data control is simply how activity is contained

within a honeynet so that an attacker doesnt know. Data capture is watching or logging all the

attackers information without bringing attention to it. Data control is the more important of the two

because improper data control could allow a hacker to escape the honeynet and reach the host

8TTL Specifies how long the datagram is allowed to live on the network, in terms of router hops. Each router decrements the value of the TTL

field (reduces it by one) prior to transmitting it. If the TTL field drops to zero, the datagram is assumed to have taken too long a route and is

discarded.

8/3/2019 Honey Nets

15/22

15

operating system. This also incorporates the idea that we need to give the hacker as much apparent

freedom as possible without putting other systems as risk. Proper data control is done through filtering

traffic with the firewall and closing down unnecessary services and ports among other methods. Data

capture is where the fun happens. This is how it is possible to understand the tools, tactics and motives

of hackers. One major tool used for data capture on my network is the keystroke logging software called

Sebek. Sebek can log information about commands entered through SSH, which is a type of keystroke

logging software. Making it known what commands and passwords are being entered and the order in

which the commands were entered.

Honeywall Management

An additional interface on the honeywall for management purposes creates security between

malicious honeynet activity and management activity. An IP address is given to this interface to allow

remote access, monitoring, configuring and intervention if necessary. This also provides a huge benefit

because immediate recovery of any data logging is available, even if the hacker is still on the system. The

immediate recovery of data logging is how attackers can be watched.

HoneywallData Control

Data control as mentioned earlier is how activity is contained within a honeynet so that an

attacker doesnt know there activities are being contained within the honeynet and most importantly, to

prevent the attacker from being able to leave the honeypot and access the host operating system. To be

able to achieve these goals there are three data control methods that can be used while implementing a

honeynet.

8/3/2019 Honey Nets

16/22

16

1.) Connection Rate Limiting ModeThis method uses the firewall located on the network to limit the number of outgoing

connections from each honeypot. Because any honeynet activity is suspicious, large amounts of

outgoing traffic can be a red flag that a system has been compromised. So limiting the outbound traffic

can create security even within a honeypot. This is normally done by just limiting the number of

outbound connections per hour. Also with limiting outbound connections on a honeypot, it will reduce

the possibility of a compromised honeypot from being used for DoS9

attacks. Another effective method

would be to limit outbound connections according to protocols such as TCP, UDP, ICMP and many

others.

2.) Packet Drop ModeThree items in this section must be prefaced with a short definition to understand this section

better.

1. Snort-Inline is a modified version of Snort, which is a type of IDS, it has a built indatabase of known attacks.

2. Intrusion Prevention System (IPS) is a network security device that monitors networkand system activities for malicious or unwanted behavior and can react, in real time, to

block or prevent those activities. (Wikipedia)

3. IPTables are a powerful Linux firewall tool that enables users to create a set of rules forpacket selection and rejection.

9Denial of Service involves saturating the target (victim) machine with external communications requests, such that it cannot respond to

legitimate traffic, or responds so slowly as to be rendered effectively unavailable. (Wikipedia)

8/3/2019 Honey Nets

17/22

17

The Packet Drop Mode method is based on Snort-Inlines10

capability to detect and deal with

malicious packets that are leaving the honeynet and headed toward a victim. Snort-Inline will accept and

reject malicious packets based on a previously set group of rules configured through IPTables. Malicious

packets are dropped at the IPS (Intrusion Prevention System) that matches a pattern of known attacks.

Packet Drop Mode is only as effective as the quantity and quality of rules.

3.) Packet Replace ModeThis method also uses Snort-Inline but instead of dropping packets, it modifies them to not be

harmful and forwards them on to their original destination. This type of data control is stealthier and

hackers will only know that for some unknown reason, the attack failed. This may encourage the

hacker to use alternative methods to attack which could lead to an increased amount of knowledge

gained and more effective research.

HoneywallData Capture

Data capture is the heart of honeynets and can provide invaluable information for research and

deliver the who, what, when, where, how and whys of the attacker. Again, we come across three

important parts of data capture. Instead of being three distinct methods, we will have three layers, all

working harmoniously together to combine many pieces of information to give one overall picture of

what the attacker is doing. These three layers are firewall logging (IPTables), IDS logging (Snort), and

honeypot system logging (Sebek). As with data control, most data capture is implemented on the

honeywall.

1.) Firewall LoggingThere is the potential to use honeywalls as firewalls. Because a honeywall is your central point

for collecting data and controlling it, it would only make sense. It can log all connections to and from the

10A customized version of Snort. Inline refers to an embedded mechanism that intervenes on a packets transit path through the network

gateway. The logic is to detect any badness on the packet then use IPTables to stop it. (Corvovensis, 2006)

8/3/2019 Honey Nets

18/22

18

honeynet with the ability to alert with every connection made to the honeywall. As stated before, every

connection with a honeynet is considered malicious so false positives are greatly reduced. The great

thing with logging all the connections is the ability to go back and review what connections where made

to see if any trojans or backdoors were created.

2.) IDSIDS systems can be very useful for honeynets when implemented on a honeywall or honeypot

and can also have some negative side effects as mentioned earlier in part one. The logic behind IDS is

pretty simple to understand. The idea is to check all packets entering or exiting a monitored network

against a database of known attacks. When a known or suspected attack is found, it alerts the

administrator. Network traffic sniffing is required for proper IDS function to analyze and capture

packets. The disadvantage of this is the amount of false positives11 and false negatives12 that are

generated. This can make a proper diagnosis of the situation difficult. Although IDS tactics can be useful,

they are not necessary since any traffic to and from a honeypot is considered malicious. The most

popular IDS used in honeynets is Snort.

3.) Honeypot System LoggingThis is where the keystroke logging software, Sebek, comes into play because it is valuable

data capture software installed on a honeypot and a server. Capturing data allows for reconstruction of

an attack for further analysis and research. As mentioned before, capturing keystrokes and other types

of logs is what a honeypot is all about. Keystroke logging like Sebek is effective because it captures the

information at the kernel level where it is no longer encrypted. As the old saying goes, what goes up

must come down so information that is encrypted must at some point be decrypted to be of any use

(Corvovensis, 2006).

11A false positive is when an alarm i ndicates that an attack is in progress when there in fact is really no such attack (Whitman, 2005)

12A false negative is the opposite of a false positive. False negatives are any alert that should have happened but didn't.

8/3/2019 Honey Nets

19/22

19

Sebek is a keystroke logger created specifically for honeynets and was actually created by

the Honeynet Research Alliance. It is available for Solaris and Linux operating systems as well as

Windows which comes with limited capabilities. Sebek is made up of two parts: the Sebek client and the

server. The client is installed on a honeypot that needs to collect data, and the server is installed on the

honeywall. The client package captures keystroke data and covertly sends it to the Sebek server. It is not

noticeable since all data transfer is done at the kernel level. Once it reaches the honeywall it is safe and

ready to be accessed. Data can be accessed from the Sebek server by sniffing the honeywalls interface

or by using TCPDump13

. For an example see the image below. The intruder at the red computer uses an

SSH connection to access Honeypot A. The Sebek client software begins to send all activity about the

intruder, unnoticed, to the Sebek server software located on the Honeywall Gateway.

Because the data captured is so valuable, it is important to keep it in a safe place out of the

reach of the attackers. Keeping the data on a vulnerable honeypot has the potential to be erased by the

attacker which is why it is important to have the logs saved directly to a disc or sent to the honeywall for

safe storage.

13A common packet sniffer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being

transmitted or received over a network to which the computer is attached.

8/3/2019 Honey Nets

20/22

20

Conclusion

Honeynets have great potential for gathering information about attacks, hackers and just overall

network security. However after much searching and research, I have come to a personal conclusion

that a large corporation would most likely not implement and use a honeynet as a security feature. I

could not find any company that has ever used a honeynet. That is probably due to the fact that

companies dont normally advertise their network security plans to the world. Leaving that aside, there

are many risks, such as the risk for a hacker to break out of a honeynet and into the unprotected

network. Also, there can be a lot of overhead and cost involved with honeynets if multiple systems and

operating systems are involved. Non-virtual honeynets require lots of hardware, software and high-cost

expertise to manage and control daily. It seems more logical and cost effect for companies to stick with

their typical IDS, firewalls, traffic filtering and layers of security. Honeynets are great teaching tools for

security and research, but I feel that is where their effectiveness ends, at least until the technology

advances and better implementation practices are discovered.

8/3/2019 Honey Nets

21/22

21

Bibliography

Clark, M. (2007, November 7). Virtual Honeynets. Retrieved June 5, 2009, from SecurityFocus:

http://www.securityfocus.com/

Corvovensis, Y. (2006). Snort-Inline and IPTables. In T. H. Team, Know Your Enemy(p. 106). Addison

Wesely.

Higgins, K. (2007, April 23). Dark Reading. Retrieved June 3, 2009, from Sweetening the Honeypot:

http://www.darkreading.com/

Honeypot. (2009, June 9). Retrieved June 9, 2009, from Wikipedia:

http://en.wikipedia.org/wiki/Honeypot_(computing)

Intrusion Detection. (2007, May 26). Retrieved June 18, 2009, from Intrusion Detection, Honeypots, and

Incident Handling Resources: http://www.honeypots.net/

Project, T. H. (2006, May 31). Honeynets. Retrieved June 1, 2009, from The Honeynet Project:

http://old.honeynet.org/papers/honeynet/

Shinder, D. (2006, May 25). Virtual honynet: A Scalable Element of Your IDS Strategy. Retrieved June 5,

2009, from TechRepublic: http://articles.techrepublic.com.com

Spitzner, L. (2004). Honeypots. In T. H. Project, Know Your Enemy: Learning About Security Threats (pp.

19-20). New York: Addison Wesley.

Whitman, M. (2005). Principles of Information Security. Canada: Thomson Course Technology.

Wikipedia. (2009, July 13). Denial of Service. Retrieved July 17, 2009, from Wikipedia.com:

http://en.wikipedia.org/wiki/Denial_of_service

8/3/2019 Honey Nets

22/22

22

Notes