Honeypots

30,695 views

Published on

First draft of a presentation I gave to students almost an year back.

Published in: Business, Technology
16 Comments
43 Likes
Statistics
Notes
No Downloads
Views
Total views
30,695
On SlideShare
0
From Embeds
0
Number of Embeds
144
Actions
Shares
0
Downloads
0
Comments
16
Likes
43
Embeds 0
No embeds

No notes for slide

Honeypots

  1. 1. Honeypots Jayant Kumar Gandhi - www.jkg.in Himanshu Bhatnagar Sachin Gajjar Sameek Banerjee Shashwat Agrawal http://www.jkg.in/eel702/presentation.ppt
  2. 2. Agenda <ul><li>Motivation </li></ul><ul><li>Definition </li></ul><ul><li>Advantages/ Disadvantages </li></ul><ul><li>Types </li></ul>
  3. 3. Motivation <ul><li>Key to effective intrusion detection is information </li></ul><ul><ul><li>Learn more about past attacks </li></ul></ul><ul><ul><li>Detect currently occurring attacks </li></ul></ul><ul><ul><li>Identify new types of attacks </li></ul></ul><ul><ul><li>Do all this in real time </li></ul></ul>
  4. 4. Definition <ul><li>“ Any security resource who’s value lies in being probed, attacked, or compromised” – L. Spitzner, Honeypots: Tracking Hackers , ISBN 0-321-10895-7 </li></ul>
  5. 5. How honeypots work <ul><li>A resource that expects no data, so any traffic to or from it is most likely unauthorized activity </li></ul>
  6. 6. Advantages <ul><li>Reduce false positives and false negatives </li></ul><ul><li>Data value </li></ul><ul><li>Resources </li></ul><ul><li>Simplicity </li></ul>
  7. 7. Disadvantages <ul><li>Narrow Field of View </li></ul><ul><li>Fingerprinting </li></ul><ul><li>Risk </li></ul>
  8. 8. Types <ul><li>Production (Law enforcement) </li></ul><ul><li>Research (Counter-intelligence) </li></ul>
  9. 9. Production Honeypots <ul><li>Prevention </li></ul><ul><li>Detection </li></ul><ul><li>Response </li></ul>
  10. 10. Research Honeypots <ul><li>Early warning and prediction </li></ul><ul><li>Discover new tools and tactics </li></ul><ul><li>Understanding motives, behavior and organization </li></ul><ul><li>Develop analysis and forensic skills </li></ul>
  11. 11. Level of Interaction <ul><li>Level of interaction determines the amount of functionality a honeypot provides </li></ul><ul><ul><li>Low Interaction </li></ul></ul><ul><ul><ul><li>Less learning, complexity and risk </li></ul></ul></ul><ul><ul><li>High Interaction </li></ul></ul><ul><ul><ul><li>High learning, complexity and risk </li></ul></ul></ul>
  12. 12. Risk <ul><li>Attacker can compromise your honeypot to harm, attack or infiltrate other systems and organizations </li></ul>
  13. 13. Low Interaction <ul><li>Provide emulated services </li></ul><ul><li>No operating system to access </li></ul><ul><li>Information limited to transactional information and attackers activities with the emulated services </li></ul>
  14. 14. High Interaction <ul><li>Provides actual Operating Systems </li></ul><ul><li>Learn extensive amount of information </li></ul><ul><li>Extensive risk </li></ul>
  15. 15. Honeyd <ul><li>Low-interaction honeypot </li></ul><ul><li>Runs on a single computer </li></ul><ul><ul><li>Simulates a group of virtual machines </li></ul></ul><ul><ul><li>Simulates the physical network between them </li></ul></ul><ul><li>Simulates only the network stack of each machine </li></ul><ul><li>Intended primarily to fool fingerprinting tools </li></ul>
  16. 16. Honeyd <ul><li>Fingerprinting </li></ul><ul><ul><li>Attackers often try to learn more about a system before attacking it </li></ul></ul><ul><ul><li>Can determine a machine’s operating system by “testing” its network behavior </li></ul></ul><ul><ul><ul><li>How the initial TCP sequence number is created </li></ul></ul></ul><ul><ul><ul><li>Response packets for open and closed ports </li></ul></ul></ul><ul><ul><ul><li>Configuration of packet headers </li></ul></ul></ul><ul><ul><li>Common fingerprinting tools: Nmap, Xprobe </li></ul></ul>
  17. 17. Honeynets <ul><li>High-interaction honeypots </li></ul><ul><li>Network of real machines (honeypots) </li></ul><ul><li>Honeywall – a gateway between honeypots and rest of the world </li></ul>
  18. 18. Legal issues <ul><li>Privacy </li></ul><ul><li>Entrapment </li></ul><ul><li>Liability </li></ul>
  19. 19. Legal Mumbo Jumbo <ul><li>Design template is Copyright © 2006 Jayant Kumar Gandhi (www.jkg.in) </li></ul><ul><li>Clip art is Copyright © 2006 Microsoft Corporation </li></ul><ul><li>All trademarks, registered trademarks are acknowledged and are property of their respective owners </li></ul>
  20. 20. Bibliography <ul><li>Robert Graham, Network intrusion detection systems, 2000. http://www.robertgraham.com/pubs/network-intrusion-detection.html </li></ul><ul><li>David Klug, Honeypots and intrusion detection. http://www.sans.org./infosecFAQ/intrusion/honeypots.htm </li></ul><ul><li>Christian Plattner Reto Baumann, White paper: Honeypots. http://www.rbaumann.net,http://www.christianplattner.net </li></ul><ul><li>Lance Spitzner, Honeypots: Tracking hackers ISBN: 0-321-10895-7 </li></ul><ul><li>Lance Spitzner, Intrusion detection, 2000. http://www.enteract.com/lspitz/ids.html </li></ul><ul><li>Lance Spitzner, Know your enemy: I, ii and iii, 2000 http://www.project.honeynet.org/papers </li></ul>
  21. 21. Questions?
  22. 22. http://www.jkg.in/contact-me/ Uploaded on SlideShare.net for the public.

×