PUNJAB UNIVERSITY , CHANDIGARH
A SEMINAR REPORT
ON
HONEY NET
A seminar report submitted in partial fulfillment of the requ...
Page 2
ACKNOWLEDGEMENT
The work on this project has been an inspiring, often exciting, sometimes challenging,
but always i...
Page 3
TABLE OF CONTENTS:-
NO. TOPIC PAGE NO
1. Abstract 5
2. Introduction 6
3. History of honeypot and honeynet 7
3.1 Typ...
Page 4
ABSTRACT
With the help of this type of project students can get all information about security
community. HoneyPots...
Page 5
INTRODUCTION
To understand Honeynets, you need to understand Honeypots, because Honeynets are one
type of Honeypots...
Page 6
This means any interaction with a honeypot is most likely unauthorized or malicious
activity. Any connection attemp...
Page 7
server” for it can simulate a network containing several different types of network
devices, including Windows NT s...
Page 8
o Virtual honeynets provided a means to deploy multiple honeynets with just one
computer.
TYPES OF HONEYPOT
Honeypo...
Page 9
CONCEPTS
Level of Honeypot:
 Low-Involvement Honeypot
 High-Involvement Honeypot
Involvement defines the level of...
Page 10
Advantages
 Its simplicity.
 These honeypots tend to be easier to deploy and maintain, with minimal risk.
 Usua...
Page 11
High- Involvement Honeypot
 Has a real underlying Operating System
 Attacker has rights on the system
 He is in...
Page 12
Advantages
 Extensive amounts of information can be captured. By giving attackers real systems to
interact with, ...
Page 13
Honeywall is also there to control the flow of data. Without Honeywall no data restrictin
is there.
Page 14
HONEYPOT DETECTION
Hardware/software specific honeypot detection:
 Detect virtual environment via specific code
...
Page 15
Fully distributed:
 No central sensor is used
 Could be fooled by double-honeypot
 Counterattack is presented i...
Page 16
Know Your Enemy:
Honeynets
 Honeynet:
 Two or more honeypots on a network form a honeynet.
 Tradationally infor...
Page 17
interact with the victim systems, but prevents the attacker from harming other
non-Honeynet computers.
 honeypots...
Page 18
 Instead, Honeyents are an architecture, an entire network of computers designed to
attacked.
 The idea is to ha...
Page 19
Honeynet Architecture:
Honeynets are nothing more than an architecture. To succesfully deploy a honeynet; the
hone...
Page 20
 There are several key requirements that a honeywall must implement; Data Control,
Data Capture, Data Analysis, D...
Page 21
standalone deployment. As such they do not need to worry about Data Collection.
However, organizations that have m...
Page 22
 Generation II & III
Change in architecture was brought about by the introduction of a single device that
handles...
Page 23
RISK
Risk means different thing to different organizations
You will have to identify what risks are important to y...
Page 24
Advantages of Honeynet:
• High Data Value
 Small Data
• Low Resource Cost
 Weak or Retired system
• Simple Conce...
Page 25
Honeynet Issues
Before investing in honeynet technology for your corporation there is a couple issues that you
mus...
Page 26
Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots
work fine in encrypted or IP...
Page 27
CONCLUSION
The purpose of this topic was to define what honeypots and honeynets are and their value
to the securit...
Page 28
BIBLIOGRAPHY
Books:
Know Your Enemy: Honeynets
“Honey pots - Definitions and Value of Honey pots”
Reto Baumann, Ch...
Upcoming SlideShare
Loading in...5
×

Honeypot seminar report

2,229

Published on

Published in: Engineering, Technology
1 Comment
1 Like
Statistics
Notes
  • pls mail dis report to aks.shet2493@gmail.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
2,229
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
358
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Honeypot seminar report"

  1. 1. PUNJAB UNIVERSITY , CHANDIGARH A SEMINAR REPORT ON HONEY NET A seminar report submitted in partial fulfillment of the requirement for the award of Submitted By Under the Guidance of
  2. 2. Page 2 ACKNOWLEDGEMENT The work on this project has been an inspiring, often exciting, sometimes challenging, but always interesting experience. It has been made possible by many other people, who have supported me. I take this opportunity to express gratitude to the people who have been instrumental in the successful completion of this project. My great full acknowledge the valuable subjection and contribution from, …. and I also thanks full to my college …..
  3. 3. Page 3 TABLE OF CONTENTS:- NO. TOPIC PAGE NO 1. Abstract 5 2. Introduction 6 3. History of honeypot and honeynet 7 3.1 Types of honeypot 8 3.2 Concepts 10 3.3 Placement of Honeypot 13 3.4 Honeypot detection 15 3.5 Honeypot over firewall 16 4. Honeynet 4.1 Types of honeynet 19 4.2 Honeynet architecture 20 4.3 Honeynet generations 22 4.4 Advantages of honeynet 23 4.5 Disadvantages of honeynet 24 4.6 Diff. b/w honeypot and honeynet 25 4.7 Value of honeynet 5. Advantages 26 6. Disadvantages 27 7. Conclusion 28 8. Bibliography 29
  4. 4. Page 4 ABSTRACT With the help of this type of project students can get all information about security community. HoneyPots and HoneyNets are a fast evolving and maturing technology/concept in the IT security world. They are an innovation in the strategy of fighting internet/network threats. The purpose of this project is that, the students can understands how to track Hackers. With the help of this manual we can detect or prevent attacks and also know about attack strategies. This manual focuses on the description and analysis of honeypots as well as how and where they are used.
  5. 5. Page 5 INTRODUCTION To understand Honeynets, you need to understand Honeypots, because Honeynets are one type of Honeypots. Honeypots are an exciting new technology with enormous potential for the security community. The concepts were first introduced by several icons in computer security, specifically Cliff Stoll in the book The Cuckoo's Egg", and Bill Cheswick's paper " An Evening with Berferd." Since then, honeypots have continued to evolve, developing into the powerful security tools they are today. Honeypot is comes from the Honeypot mailing list, a list consisting of about 5000 different security professionals working with Honeypot technology. “A Honeypot is a security resource whose value is being probed, attacked or comprised.” A honeypot is a security resource…..  This security resource may come in different shapes and sizes. In fact, a Honeypot could just as simply be one of your old PC’s, a script or even a digital entity3 like some made-up patient records. Whose value is being probed,attacked or comprised.  If anyone “touches” our Honeypot, then we knowsomeone’s creeping around in our network system, no person or resource should be communicating with it. Incoming traffic or more dangerously, outgoing traffic would be considered unauthorized traffic. A Honeypot is a security resource whose value is in its being probed, attacked or compromised. A Honeypot could come in different sizes. It can be one of your old PC’s, a script like Honeyd or even more complicated setups like the Honeynet8. A Honeypot looks and acts like a production system but in reality is not so. Since its’ not a production system, no ones supposed to use it thus should have no valid traffic. So if we detect traffic, most likely its potentially malicious traffic. Concrete definition:“A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.” They are a resource that has no authorized activity, they do not have any production value. Theoreticlly, a honeypot should see no traffic because it has no legitimate activity.
  6. 6. Page 6 This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple (and it is), it is this very simplicity that give honeypots their tremendous advantages History of Honeypot and honeynet  The concept of the honeypot is not new. In fact as early as 1991, a number of publications expounded on concepts that were to be foundations of today’s honeypot development. Two publications in particular stood out:  1990/1991 The Cuckoo’s Egg and Evening with Berferd o Clifford Stoll was an astrophysicist turned systems manager at Lawrence Berkeley Lab. Due to a 75 percent accounting error was able to track down a hacker that was using their computers as a launching pad to hack hundreds of military, industrial, and academic computers in search of secrets. His book “The Cuckoo's Egg”, published in 1988, detailed his experiences through this 3 year incident where he observed the hacker and subsequently gathered information that led to the hackers arrest. o The other publication that was of particular note during this period was “An Evening with Berferd” by the well respected Internet Security expert, Bill Cheswick. In the paper, Mr. Cheswick describes how he and his colleagues set up their jail machine, also known as roach motel2 in which they chronicled a hackers movements and the bait and traps they used to lure and detect him.  1997 - Deception Toolkit o The Deception Toolkit is one of the original and landmark Honeypots. It is generally a collection of PERL scripts designed for UNIX systems that emulate a variety of known vulnerabilities. The concept put forward by the DTK is “deceptive defense” which now central in Honeypot concepts and implementations  1998 - CyberCop Sting o CyberCop Sting is a component of the CyberCop intrusion protection software family which runs on NT. Cybercop Sting has also been referred to as a “decoy
  7. 7. Page 7 server” for it can simulate a network containing several different types of network devices, including Windows NT servers, Unix servers and routers. Each of these decoys had the ability to track, record, and report intrusive activity to network and security administrators. As with the DTK, each of these decoys can run simulated services. However, as with the problem with most simulated or low-interaction Honeypots, you can only only simulate limited functionality with Cybercop sting such as telnet logins or SMTP banners thus limiting its ability to deceive and to study hackers in the long term.  1998 - NetFacade (and Snort) o As with Cybercop Sting, it creates a simulated network of hosts, with simulated IP addresses, running seemingly vulnerable services but in a much larger scale. NetFacade can simulate an entire class C network up to 254 systems. It can also simulate 7 different operating systems with a variety of different services.  1998 - BackOfficer Friendly o Back Officer Friendly runs in Windows and was free thus giving more people access to Honeypot technology. Though It didn’t give much functionality it was still a very useful piece of software which demonstrated the concepts of the Honeypot to a lot of people that who were not familiar to Honeypot concepts at that time.  1999 - Formation of the Honeynet Project 9 o A group of people led by Lance Spitzner decided to form the Honeynet Project 9. The honeynet project is a non-profit group dedicated to researching the blackhat community and to share their work to others. Their primary tool for research is the honeynet, an advanced form of Honeypot.  2003- Some Honeypot Tools o In 2003, several important Honeypot tools were introduced through these organizations such as Snort-Inline12, Sebek13, and advanced virtual honeynets14. o Snort- Inline augmented Snort to block and disable attacks instead of just detecting them. o Sebek provided a means to capture hacker activities in Honeypots by logging their keystrokes.
  8. 8. Page 8 o Virtual honeynets provided a means to deploy multiple honeynets with just one computer. TYPES OF HONEYPOT Honeypots can be classified based on their deployment and based on their level of involvement. Based on the deployment, honeypots may be classified as:  Production Honeypots  Research Honeypots Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the BLACKHAT community targeting different networks. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and to learn how to better protect against those threats. This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.
  9. 9. Page 9 CONCEPTS Level of Honeypot:  Low-Involvement Honeypot  High-Involvement Honeypot Involvement defines the level of activity a honeypot allows an attacker. Low-Involvement Honeypot  Easy to install and deploy. Usually requires simply installing and configuring software on a computer.  Minimal risk, as the emulated services control what attackers can and cannot do.  Captures limited amounts of information, mainly transactional data and some limited interaction  HONEYD is a low-interaction honeypot. Developed by Niels Provos, Honeyd is OpenSource and designed to run primarily on Unix systems (though it has been ported to Windows). Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection attempt to an unused IP, it intercepts the connection and then interacts with the attacker, pretending to be the victim. By default, Honeyd detects and logs any connection to any UDP or TCP port. In addition, you can configure emulated services to monitor specific ports, such as an emulated FTP server monitoring TCP port 21. When an attacker connects to the emulated service, not only does the honeypot detect and log the activity, but it captures all of the attacker's interaction with the emulated service. In the case of the emulated FTP server, we can potentially capture the attacker's login and password, the commands they issue, and perhaps even  learn what they are looking for or their identity.
  10. 10. Page 10 Advantages  Its simplicity.  These honeypots tend to be easier to deploy and maintain, with minimal risk.  Usually they involve installing software, selecting the operating systems and services you want to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations.  The emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others. Disadvantages  They log only limited information and are designed to capture known activity.  It’s easier for an attacker to detect a low-interaction honeypot, no matter how good the emulation is, skilled attacker can eventually detect their presence. Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor.
  11. 11. Page 11 High- Involvement Honeypot  Has a real underlying Operating System  Attacker has rights on the system  He is in Jail,a Sandbox  Time-consuming to build/maintain  All actions can be recorded and analyze High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, we give attackers the real thing.  If you want a Linux honeypot running an FTP server, you build a real Linux system running a real FTP server. The advantages with such a solution are two fold. First, you can capture extensive amounts of information. By giving attackers real systems to interact with, you can learn the full extent of their behavior, everything from new rootkits to international IRC sessions.  The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior we would not expect.  An excellent example of this is how a Honeynet captured encoded back door commands on a non-standard IP protocol.
  12. 12. Page 12 Advantages  Extensive amounts of information can be captured. By giving attackers real systems to interact with, you can learn the full extent of their behavior, everything from new rootkits to international IRC sessions.  They make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior we would not expect. Disadvantages  It increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implement that prevent the attacker from harming other non-honeypot systems PLACEMENT OF HONEYPOT There are various way to allocate a honeypot:- In front of the firewall(Internet) DMZ(demilitarized zone)  DMZ is to add an additional layer of security to an organization's local area network (LAN).  In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet.  The term is normally referred to as a DMZ by information technology professionals. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. Behind the firewall
  13. 13. Page 13 Honeywall is also there to control the flow of data. Without Honeywall no data restrictin is there.
  14. 14. Page 14 HONEYPOT DETECTION Hardware/software specific honeypot detection:  Detect virtual environment via specific code  E.g., time response, memory address  Detect faculty honeypot program  Case by case detection Detection based on fundamental difference:  Honeypot defenders are liable for attacks sending out  Liability law will become mature  It’s a moral issue as well DETECTION OF HONEYPOT Real attackers bear no liability:  Check whether a bot can send out malicious traffic or not. Two-stage Reconnaissance to Detect Honeypot:
  15. 15. Page 15 Fully distributed:  No central sensor is used  Could be fooled by double-honeypot  Counterattack is presented in our paper Lightweighted spearhead code:  Infect + honeypot detection  Speedup UDP-based infection HONEYPOT OVER FIREWALL First, without a firewall, the firewall can not prevent attacks. Data without a firewall, the firewall can not check. Second, the firewall does not resolve the internal network from attacks and security issues. Firewalls can be designed either to prevent anti-foreign also inside, no one trusted, but most units because of inconvenience, does not require anti-in firewall Third, firewalls can not prevent configuration policy configuration error caused by improper or security threats. A firewall is a passive security policy enforcement device, like a guard, as according to policies and regulations to implement security, and not given a free hand. Fourth,the firewall can not prevent access to human or natural damage. A firewall is a security device, but the firewall itself must exist in a safe place. Fifth,the firewall can not prevent the use of standard network protocol defects in the attack. Once the firewall to allow some of the standard network protocol, a firewall can not prevent the use of the agreement of the defects of the attack. Sixth,the firewall can not prevent the use of server system vulnerabilities to attack. Hacking through the firewall to allow access to ports on the server vulnerability to attack, the firewall can not prevent. Seventh, a firewall can not prevent virus-infected file transfers. The firewall itself does not have the function of killing the virus, even if integrated third-party anti-virus software, there is no one kind of killing all the virus software. Eighth, the firewall can not prevent data-driven attacks. When some seemingly innocuous mail or copy data to the host on the internal network was performed, which may occur data-driven attacks. Ninth,the firewall can not prevent internal leaks of secrets. Inside the firewall active leak of a legitimate user, the firewall is powerless. One of the advantages of honeypot systems is that they greatly reduce the data to be analyzed. For the usual website or mail server, attack traffic is usually overwhelmed by legitimate traffic.
  16. 16. Page 16 Know Your Enemy: Honeynets  Honeynet:  Two or more honeypots on a network form a honeynet.  Tradationally information security has been primarily defensive. Firewalls, Intrusion detection system, encryption; all of these mechanism are used defensively to protect one’s resource. The strategy is to defend one’s organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it purely defensive, the enemy has the initiative. Honeypots attempts to change that. The primary purpose of honeypot is to gather information on threats. This information has defferent value for different organization.  Eg.  Academic research institution may use honeypot to gather data for research, such as worm activity.  Security organization may use honeypot to capture and analyze malware for anti- virus.  Government organization use them to learn more about who is targetting them and why???  Honeynets are a prime example of high-interaction honeypot. Honeynets are not a product; they are not a software solution that you install on a computer. Instead, Honeyents are an architecture, an entire network of computers designed to attacked. The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications. The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. All of their activity, from encrypted sessions to emails and files uploads, are captured without them knowing it. This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. At the same time, the Honeynet controls the attacker's activity. Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic to the victim systems, but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to
  17. 17. Page 17 interact with the victim systems, but prevents the attacker from harming other non-Honeynet computers.  honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discretely regulated."  Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion-detection systems.  A honeyfarm is a centralized collection of honeypots and analysis tools.  Honeynets are digital network bait, and through deception, they are designed to actually attract intruders.  Honeypot one,Honeypot two,Honeypot three make honeynets.  Honeynets are a prime example of high-interaction honeypot. Honeynets are not a product, they are not a software solution that you install on a computer.
  18. 18. Page 18  Instead, Honeyents are an architecture, an entire network of computers designed to attacked.  The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications.  The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. All of their activity, from encrypted SSH sessions to emails and files uploads, are captured without them knowing it.  This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. At the same time, the Honeynet controls the attacker's activity.  Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic to the victim systems, but controls the outbound traffic using intrusion prevention technologies.  This gives the attacker the flexibility to interact with the victim systems, but prevents the attacker from harming other non-Honeynet computer. Types of Honeynet:  High-interaction honeynet: A distributed network composing many honeypots.  Low-interaction honeynet: Emulate a virtual network in one physical machine. Example: honeyd
  19. 19. Page 19 Honeynet Architecture: Honeynets are nothing more than an architecture. To succesfully deploy a honeynet; the honeynet architecture should be correctly deployed. The key to the honeynet architecture is what we call a “honeywall”. This is a gateway device that seperates your honeypots from the rest of the world. Any traffic going to or from the honeypots must go through the honeywall. This gateway is traditionally a layer 2 bridging device, meaning the device should be invisible to anyone interacting with the honeypots. Below we see a diagram of this architecture. The Honeywall has 3 interfaces. The first 2 interfaces (eth0 and eth1) are what seperate our honeypots from everything else, these are bridged interfaces that have no IP stack. The 3rd interface (eth2, which is optional) has an IP stack allowing for remote administration.
  20. 20. Page 20  There are several key requirements that a honeywall must implement; Data Control, Data Capture, Data Analysis, Data Collection. Data Control defines how activity is contained with the honeynet without an attacker knowing it. Its purpose is to minimize risk. Data Capture is capturing all of the attacker's activity without the attacker knowing it. Data Analysis is the ability to analyze this data. Data Collection is the ability to collect data from multiple honeynets to a single source. Of all these requirements, Data Control is the more important. Data Control always takes priority as its role is to mitigate risk. We describe each in more detail below.  Data Control is the containment of activity, it is what mitigates risk. By risk, we mean there is always the potential of an attacker or malicious code using a honeynet to attack or harm non-honeynet systems, or abusing the honeynet in some un-expected way. We want to make every effort possible to ensure that once an attacker is within our honeynet or a system is compromised, they cannot accidentally or purposefully harm other non- honeynet systems. The challenge is implementing data control while minimizing the attacker's or malcious's code chance of detecting it. This is more challenging then it seems. First, we have to allow the attackers some degree of freedom to act. The more activity we allow the attackers to perform, the more we can potentially learn about them. However, the more freedom you allow an attacker, the more risk there is they will circumvent Data Control and harm other non-honeynet systems. The balance of how much freedom to give the attacker vs. how much you restrict their activity is a decision every organization has to make themselves.  Data Capture is the monitoring and logging of all of the threat's activities within the honeynet. It is this captured data that is then analyzed to learn the tools, tactics, and motives of attackers. The challenge is to capture as much data as possible without the threat detecting the process. As with Data Control, one of the primary lessons learned for Data Capture has been the use of layers. It is critical to use multiple mechanisms for capturing activity. Not only does the combination of layers help piece together all of the attacker's actions, but it prevents having a single point of failure. The more layers of information that are captured, at both the network and host level, the more that can be learned. To minimize the ability of attackers to detect our capture mechanisms, there are two ways: First, make as few modifications to the honeypots as possible. The more modifications you make, the greater the chance of detection. Second it is best that captured data not be stored locally on the honeypots themselves. Not only could this data be detected by attackers, but it could also be modified or deleted. As such, captured data must be logged and stored on a seperate, secured system.  Data Analysis is the third requirement. Remember, the entire purpose of a honeynet is information. A honeynet is worthless if you have no ability to convert the data it collect to information, you must have some ability to analyze the data. Different organizations have different needs, and as such will have different data analysis requirements.  Data Collection applies only to organizations that have multiple honeynets in distributed environments. Most organizations will have only one single honeynet, what we call a
  21. 21. Page 21 standalone deployment. As such they do not need to worry about Data Collection. However, organizations that have multiple honeynets logically or physically distributed around the world have to collect all of the captured data and store it in a central location. This way the captured data can be combined, exponentially increasing its value. The Data Collection requirement provides the secure means of centrally collecting all of the captured information from distributed honeynets.  Implementing all of these requirements is extremely difficult, complex, and time consuming. In the past it took a great deal of time and effort to deploy such an architecture. However, today the Honeynet Project has developed a rapid and simple way for an organization to deploy such functionality, its call the Honeywall CDROM.  The purpose of this bootable CDROM is to make it simple to rapidly build and deploy a honeywall, the critical component to honeynet architecture. You simply install the Honeywall CDROM into a computer with multiple NICs, and it automates the build process of a honeywall, implementing all of the requirements we just discussed above. TYPES OF HONEYNETS  GenI first generation. Were effective at catching automated activities such as worms, script kiddies, auto-rooters and mass-rooters. GenI is no longer recommended for deployment.  GenII second generation. Simpler to deploy, harder to detect, and safer to maintain. They utilize more advanced data control and data capture mechanisms  Virtual Honeynets are designed to make deployment much easier to manage and far more cost effective.  Distributed Honeynets are multiple Honeynets deployed across large networks or across the Internet. They exponentially increase the information collected. HONEYNET GENERATIONS: Generation I Gen I Honeynet was developed in 1999 by the Honeynet Project. The architecture was simple with a firewall aided by an IDS as the gateway and Honeypots placed behind it.This architecture required 2 interfaces on the Honeywall gateway, one facing the external network and one facing the Honeypot’s internal network. This architecture was flawed as the gateway acting as a Layer 3 device could be detected by attackers. The main advantage is you can remotely manage the Honeynet gateway from outside by allowing a connection from a select IP address on the Internet Combining IDS and firewall on a single machine reduces the hardware requirements to just two machines. Although a bit riskier
  22. 22. Page 22  Generation II & III Change in architecture was brought about by the introduction of a single device that handles the data control and data capture mechanisms of the Honeynet called the IDS Gateway or the Honeywall. This is implemented as a transparent bridge. Gen II Honeynets were first introduced in 2001 and Gen III Honeynets were released at the end of 2004. Gen II Honeynets were made in order to address the deficiencies in Gen I Honeynets. Gen II and Gen III Honeynets have the same architecture, with the only difference being improvements in deployment and management in Gen III Honeynets along with the addition of a Sebek server built in the gateway – this is known as the Honeywall. This architecture incorporates 3 interfaces on the Honeywall. Two interfaces acted as a bridge between the external network and the internal Honeypot network; whilst the third interface was used for management and configuration tasks.
  23. 23. Page 23 RISK Risk means different thing to different organizations You will have to identify what risks are important to you There are four general areas of risk; harm, detection, disabling, and violation o Harm is when a Honeynet is used to attack or harm other nonhoneynet systems o Detection. Once the true identity of a Honeynet has been identified by the blackhats, its value is greatly reduced. o Risk of disabling Honeynet functionality by an attack against either data control or data capture routines o Violation is the catchall of remaining risk. Example is an attacker using a Honeypot to upload then distribute contraband or illegal material In all four cases, there are two steps to help mitigate these risks, human monitoring and customization o Human means having a trained professional monitoring and analyzing your Honeynet in real time o Customization is critical. A simple default installation that has no purpose or system activity is a give away of a Honeypot
  24. 24. Page 24 Advantages of Honeynet: • High Data Value  Small Data • Low Resource Cost  Weak or Retired system • Simple Concept, Flexible Implementation • Return on Investment  Proof of Effectiveness • Catch new attacks Disadvantages of honeynet: • In reference to risk, there are four general areas we will cover;  Harm: when a honey net is used to attack or or harm other, non-honey net systems. Eg. An attacker may break into a honeynet, and then launch an outbound attack never seen before, successfully harming or compromising its intended victim.  Detection: Once the true identity of a honey net has been identified, its value is dramatically reduced. Attacker can ignore or bypass the honeynet, eliminating its capability for capturing information.  Disabling: Attackers may want to not only detect a honey net's identity, but disable its Data Control or Data Capture capabilities, potentially without the honeynet administrator knowing that functionality has been disabled (feed the honeypot with bogus activity, making administrator think that data capture is still functioning and recording activity when it is not.)  Violation: Attackers may attempt criminal activity from your compromised honey net without actually attacking anyone outside your honey net Eg. Attackers using a honeypot to upload then distribute illegal material. Remember, this individual broke into your system on their own initiative. If detected, this illegal activity would be attributed to you by way of it being on your system. You may then have to prove that it was in fact not you who was responsible for this activity
  25. 25. Page 25 Honeynet Issues Before investing in honeynet technology for your corporation there is a couple issues that you must consider and work out first. One topic that needs to be addressed is the cost of a honeynet. What kind of budget goes into deploying and maintaining? The first issue is the equipment needed for a honeynet. Because of the simplicity of a honeynet, the systems to set one up are inexpensive. The total cost for all the systems would depend on how many different honeypot you wish to have in your complete honeynet. Then there is the network utilities and Internet connection. This could be a one or more employee depending on the knowledge and experience of the employee, and the length of time. Some of the topics that need to be discussed are management, operations, and cleanup. Value of Honeynet:  Defends Organization and React.  Provide an Organization Info. on their own Risk.  Test your abilities.  Determine System Compromised within Production Network.  Risks and Vulnerabilities discovered.  Specially for research. ADVANTAGES Honeypots are a tremendously simply concept, which gives them some very powerful strengths. Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity, any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collectin only small data sets, but information of high value, as it is only the bad guys. This means its much easier (and cheaper) to analyze the data a honeypot collects and derive value from it. New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before. Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network.
  26. 26. Page 26 Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it. Information: Honeypots can collect in-depth information that few, if any other technologies can match. Simplicty: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations. Protection: Honeypot can help protect an organization is in reponse. Attack prevention: One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. Called sticky honeypots, these solutions monitor unused IP space. When probed by such scanning activity, these honeypots interact with and slow the attacker down. They do this using a variety of TCP tricks, such as a Windows size of zero, putting the attacker into a holding pattern. This is excellent for slowing down or preventing the spread of a worm that has penetrated your in pc. DISADVANTAGES Like any technology, honeypots also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies. Limited View:oneypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also. Risk:All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems. This risk various for different honeypots. Depending on the type of honeypot, it can have no more risk then an IDS sensor, while some honeypots have a great deal of risk.
  27. 27. Page 27 CONCLUSION The purpose of this topic was to define what honeypots and honeynets are and their value to the security community. We identified two different types of honeypots, low- interaction and high-interaction honeypots. Interaction defines how much activity a honeypot allows an attacker. The value of these solutions is both for production or research purposes. Honeypots can be used for production purposes by preventing, detecting, or responding to attacks. Honeypots can also be used for research, gathering information on threats so we can better understand and defend against them.
  28. 28. Page 28 BIBLIOGRAPHY Books: Know Your Enemy: Honeynets “Honey pots - Definitions and Value of Honey pots” Reto Baumann, Christian Plattner “White Paper Honeypots” 2002 Websites: www.honynet.org www.tracking-hackers.com www.honeypots.net www.honeyd.org

×