Upcoming SlideShare
Loading in...5







Total Views
Views on SlideShare
Embed Views



1 Embed 2

http://www.slideshare.net 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Honeypots Honeypots Presentation Transcript

    • An Introduction to Honeypots J. Scott Christianson
    • J. Scott Christianson
      • Experience/Education
        • Worked for a consortium of schools for eight years
        • Own and operate Kaleidoscope Consulting
        • Firewall Installation
        • Network Design
        • M.A., Educational Technology, The George Washington University.
      • Certifications
        • CISSP
        • SANS GIAC
        • MCSE
        • Cisco CNA 1.0, 2.0
        • CVE
        • NACSE Senior Network Specialist
        • Sonicwall SCSA
        • Network +, etc.
    • Today’s Session
      • What is a Honeypot?
      • Types of Honeypots
      • Honeypot Deployment
      • Demonstration
      • Legal Issues
      • Resources
    • Honeypot Defined
      • “ A honeypot is a resource whose value is in being attacked or compromised. This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information.”
      • --Lance Spitzner
      “Intrusion Deception Systems”
    • Honeypot Uses
      • Research
        • Discover new attacks
        • Understand the blackhat community and their attacks
        • Build some better defenses against security threats
      • Production
        • Distraction
        • Detect internal threats: “Policy/Law Enforcement”
        • Security Assessment (Constantly monitors the average security provided by the network)
    • Honeypots Characteristics
      • Since Honeypots are not normally used by the organization, they will only be accessed by “intruders”
      • Honeypots collect very little data, and what they do collect is normally of high value.
      • Honeypots all share one huge drawback; they are worthless if no one attacks them
      • Honeypots can introduce risk to your environment.
    • Types of Honeypots
      • Honeypots are classified by the degree an attacker can interact with the operating system
        • The more an attacker can interact with a honeypot, the more information we can potentially gain from it, however the more risk it most likely has.
      • Types
        • Low-Involvement Honeypot
        • Mid-Involvement Honeypot
        • High-Involvement Honeypot
    • Honeypot Deployment
      • A honeypot can be a specialized program running on a hardened machine (BOF, Specter, Mantrap, etc).
      • A honeypot can be an unpatched server. For example, a IIS server with the default install.
        • Use firewall to protect the outside world
        • Hogwash (Snort based IP scrubber) http://hogwash.sourceforge.net/
      • Low/Mid Interaction Honeypot
      • Runs on Microsoft OSs
      • Specter can emulate one of 13 different operating systems.
      • As of Version 6.02, the IP stack is not emulated so IP fingerprinting tools are not fooled.
      • Custom fake password files and custom HTTP content.
      • Pricing: full version $899, Lite $599
      • www.specter.com
    • Virtual Honeypots
      • VMware ($299 from vmware.com)
      • Host Operating Systems is Hardened
      • Guest Operating Systems are the Honeypots (unpatched OSs)
    • Honeynets
      • http://project. honeynet .org
      • An extension of a Honeypot
      • Network topology provides many advantages over standard honeypot
        • Covert logging
        • More points of attack for a blackhatter
        • Looks realistic from the outside
    • Issues Raised: Privacy
      • Electronic Communication Privacy Act (18 USC 2701-11)
      • Federal Wiretap Statute (Title III, 18 USC 2510-22)
      • The Pen/Trap Statute (18 USC § 3121-27)
    • Issues Raised: Entrapment
      • Used only by defendant to avoid conviction
      • Cannot be held criminally liable for ‘entrapment’
      • Applies only to law enforcement
      • Even then, most legal authorities consider Honeynets non-entrapment
    • Issues Raised: Liability
      • You may be liable if your Honeynet system is used to attack or damage other non-Honeynet systems.
        • Decided at state level, not federal
        • Civil issue, not criminal
    • Resources http://www.spitzner.net/