Honeypots and HoneynetsWhat are HoneypotsWhy HoneyPotsAdvantages and DisadvantagesSlide 5Types of HoneypotsSlide 7Examples of HoneypotsUses of HoneypotsSlide 10Slide 11Slide 12HoneynetsHoneynet ArchitectureHow It WorksData ControlNo Data ControlSlide 18Data Control : IssuesData CaptureRisksTypes of honeynetsGen-II Honeynet ArchitectureVirtual HoneynetHybrid Virtual HoneynetHoneywall CDROMRoo Honeywall CDROMInstallationFurther InformationHoneypots and HoneynetsHoneypots and HoneynetsSource: The HoneyNet Project http://www.honeynet.org/Book: Know Your Enemy (2nd ed)Presented by:Mohammad Mehedy MasudWhat are HoneypotsWhat are HoneypotsHoneypots are real or emulated vulnerable systems ready to be attacked.Definition: “Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource”◦Primary value of honeypots is to collect information.◦This information is used to better identify, understand and protect against threats.◦Honeypots add little direct value to protecting your network.Why HoneyPotsWhy HoneyPots A great deal of the security profession and the IT world depend on honeypots. Honeypots are used to ◦Build anti-virus signatures◦Build SPAM signatures and filters◦Identify compromised systems◦Assist law-enforcement to track criminals◦Hunt and shutdown botnets◦Malware collection and analysisAdvantages and Advantages and DisadvantagesDisadvantagesAdvantages◦Collect only small data sets(only when interacted), which is valuable and easier to analyze.◦Reduce false positives – because any activity with the honeypot is unauthorized by definition◦Reduce false negatives – honeypots are designed to identify and capture new attacks◦Capture encrypted activity – because honeypots act as endpoints, where the activity is decrypted◦Work with IPv6◦Highly flexible – extremely adaptable and can be used in a variety of environments◦Require minimal resourcesAdvantages and Advantages and DisadvantagesDisadvantagesDisadvantages◦Honeypots have a limited field of view – see only what interacts with them. Can’t be used to detect attacks on other systems.◦However, there are some techniques to redirect attackers’ activities to honeypots.◦Risk – attacker may take over the honeypot and use it to attack other systems.Types of HoneypotsTypes of HoneypotsServer: Put the honeypot on the Internet and let the bad guys come to you. Client: Honeypot initiates and interacts with serversOther: ProxiesTypes of HoneypotsTypes of HoneypotsLow-interaction◦Emulates services, applications, and OS’s◦Low risk and easy to deploy/maintain◦But capture limited information – attackers’ activities are contained to what the emulated systems allowHigh-interaction◦Real services, applications, and OS’s◦Capture extensive information, but high risk and time intensive to maintain◦Can capture new, unknown, or unexpected behaviorExamples of HoneypotsExamples of HoneypotsBackOfficer FriendlyKFSensorHoneydHoneynetsLow InteractionHigh InteractionUses of HoneypotsUses of HoneypotsPreventing attacks◦Automated attacks – (e.g. worms) Attacker randomly scan entire network and find vulnerable systems“Sticky honeypots” monitor unused IP spaces, and slows down the attacker when probedUse a variety of TCP tricks, such as using 0 window size◦Human attacksUse deception/deterrenceConfuse the attackers, making them waste their time and resourcesIf the attacker knows your network has honeypot, he may not attack the networkUses of HoneypotsUses of HoneypotsDetecting attacks◦Traditional IDSs generate too much logs, large percentage of false positives and false negatives◦Honeypots generate small data, reduce both false positives and false negatives◦Traditional IDSs fail to detect new kind of attacks, honeypots can detect new attacks◦Traditional IDSs may be ineffective in IPv6 or encrypted environmentUses of HoneypotsUses of HoneypotsResponding to attacks◦Responding to a failure/attack requires in-depth information about the attacker◦If a production system is hacked (e.g. mail server) it can’t be brought offline to analyze◦Besides, there may be too much data to analyze, which will be difficult and time-consuming◦Honeypots can be easily brought offline for analysis.◦Besides, the only information captured by the honeypot is related to the attack – so easy to analyze.Uses of HoneypotsUses of HoneypotsResearch purposes◦How can you defend yourself against an enemy when you don’t know who your enemy is?◦Research honeypots collect information on threats.◦Then researchers can Analyze trendsIdentify new tools or methodsIdentify attackers and their communitiesEnsure early warning and predictionUnderstand attackers’ motivationsHoneynetsHoneynetsHigh-interaction honeypot designed to capture in-depth information.Information has different value to different organizations.Its an architecture you populate with live systems, not a product or software. Any traffic entering or leaving is a suspect.Honeynet ArchitectureHoneynet ArchitectureHow It WorksHow It Works A highly controlled network ◦where every packet entering or leaving is monitored, captured, and analyzed.Should satisfy two critical requirements:◦Data Control: defines how activity is contained within the honeynet, without an attacker knowing it◦Data Capture: logging all of the attacker’s activity without the attacker knowing itData control has priority over data captureData ControlData Control•Mitigate risk of honeynet •being used to harm non-honeynet systems•Tradeoff•need to provide freedom to attacker to learn about him•More freedom – greater risk that the system will be compromised•Some controlling mechanisms•Restrict outbound connections (e.g. limit to 1)•IDS (Snort-Inline)•Bandwidth ThrottlingNo Data ControlNo Data ControlInternetNo RestrictionsNo RestrictionsHoneypotHoneypotData ControlData ControlInternetHoneywallHoneypotHoneypotNo RestrictionsConnections Limited Packet ScrubbedData Control : IssuesData Control : IssuesMust have both automated and manual controlSystem failure should leave the system in a closed state (fail-close)Admin should be able to maintain state of all inbound and outbound connectionsMust be configurable by the admin at any timeActivity must be controlled so that attackers
View Full Document