Embed Size (px)
Citation preview
2
Content
Definition Three ArchitecturesApplicationsAdvantages and disadvantagesFuture Work
3
Definition
Honeypot
Honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems..
How it works
Theoretically, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity
4
5
Type of Honeypot
Purposes Production / Research
Characteristics Low / High Interactivity
6
Low-Interaction vs. High-Interaction
Low-Interaction High-Interaction
Installation Easy More difficult
Maintenance Easy Time consuming
Risk Low High
Need Control No Yes
Data gathering Limited Extensive
Interaction Emulated services Full control
7
Value of Honeypots
PreventionDetectionResponseResearch Purpose
Prevention
Honeypots can help prevent attacks in several ways. The first is against automated attacks, such as worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system
8
Detection
Detection is critical, its purpose is to identify a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reasons then humans are involved in the process. By detecting an attacker, we can quickly react to them, stopping or mitigating the damage they do.
9
Response
Response can often be one of the greatest challenges an organization faces. There is often little information on who the attacker is, how they got in, or how much damage they have done. In these situations detailed information on the attacker's activity are critical
10
11
Three Architectures
Honeyd
Gen I Honeynet
Gen II Honeynet
12
Honeyd Overview
Honeyd is a low-interaction virtual honeypot Simulate arbitrary TCP/UDP service
• IIS, Telnet, pop3… Supports multiple IP addresses
• Test up to 65536 addresses simultaneously
Supports ICMP• Virtual machines answer to ping and
traceroute Supports subsystem
13
Honeyd Architecture
14
Honeyd Architecture
Configuration database Store the personalities of the
configured network stack. Central packet
dispatcher Dispatch Incoming packets to the
correct protocol handler.
Protocol handles Personality engine Option routing
component
15
GEN I Honeynet
Simple Methodology, Limited Capability Highly effective at detecting automated
attacks Use Reverse Firewall for Data Control Can be fingerprinted by a skilled hacker Runs at OSI Layer 3
16
Gen I Honeynet
GEN II Honeynet
More Complex to Deploy and Maintain Examine Outbound Data and make
determination to block,pass, or modify data
Runs at OSI Layer 2
17
18
Gen II Honeynet
Application
Detecting and countering wormsSpam prevention
19
How effective it is !
20
Advantages
One can learn about incident response; setting up a system that intruders can break into will provide knowledge on detecting hacker break-ins and cleaning-up after them.
Knowledge of hacking techniques can protect the real system from similar attacks.
The honeypot can be used as an early warning system; setting it up will alert administrators of any hostile intent long before the real system gets compromised.
21
Disadvantages
Honeypots add complexity to the network. Increased complexity may lead to increased exposure to exploits.
Honeypots must be maintained just like any other networking equipment and services.
Requires just as much use of resources as a real system.
Building a honeypot requires at least a whole system dedicated to it, and this may be an expensive resource
22
23
Future Work
Ease of use: In future Honeypots will most probably appear in prepackaged solutions, which will be easier to administer and maintain. People will be able to install and
develop Honeypots at home and without difficulty. Closer integration: Currently Honeypots are used along
with other technologies such as firewall, tripwire, IDS etc. As technologies are developing, in future Honeypots will be used in closer integration with them.
Specific purpose: Already certain features such as honeytokens are under development to target Honeypots only for a specific purpose. Eg: catching only those attempting credit card fraud etc.
