HONEYPOTS
Monitor your Network

By:
Ravindra Singh Rathore
THE PROBLEM
• The Internet security is hard
– New attacks every day
– Our Websites are static targets

• What should we do...
WHAT IS A HONEYPOT

A honeypot is an information system
resource whose value lies in
unauthorized or illicit use of that
r...
WHAT IS A HONEYPOT

• A honeypot is a trap set to detect, deflect, or
in some manner counteract attempts at
unauthorized u...
WHAT IS A HONEYPOT

• Has no production value; anything going
to/from a honeypot is likely a probe, attack or
compromise
•...
What Honeypots Do
Why we use Honeypots??
Its Different security from Firewall.
Firewall only works on System Security.
This security work...
Classification
By level of interaction
 High
 Low
Classification
By Implementation
 Physical
 Virtual
Classification
By Purpose
 Production
 Research
Level of Interaction
Low Interaction
 Simulates some aspects of the system
 Easy to deploy, minimal risk
 Limited Infor...
Low Interaction vs. High Interaction
Low-Interaction

High-Interaction

Installation

Easy

More difficult

Maintenance

E...
Physical V.S. Virtual Honeypots
– Physical
• Real machines
• Own IP Addresses
• Often high-interactive

– Virtual
• Simula...
Production HPs: Protect the systems
 Prevention
 Keeping the bad guys out

 Detection
 Detecting the burglar when he b...
Research HPs: gathering information







Collect compact amounts of high value information
Discover new Tools and T...
Building your HoneyPots
 Specifying Goals
 Selecting the implementation strategies






Types, Number, Locations a...
Information Capturing Mechanisms
 Host Based
 Network Based
 Router/Gateway Based
Information Analysis Mechanisms






Firewall Logs
IDS Analysis
System Logs
Forensics of the Compromised Machine
Adv...
How do HONEYPOTS work?
Location of Honeypots
In front of the
firewall
Demilitarized
Zone
Behind the
firewall (Intranet)
Placement of Honeypot
Honeyd: A virtual honeypot application, which allows us to create
thousands of IP addresses with virtual machines and
corr...
Honeypot Advantages
 High Data Value
- Small Data

 Low Resource Cost
- Weak or Retired system

 Simple Concept, Flexib...
Disadvantages
 Narrow Field of View
 Fingerprinting
 Risks?
- If being detected?
- If being compromised?
- If being mis...
Mitigating Risks?
 Being Detected?
- Anyway honeypots can be detected
- Modifying is a good solution, but not perfect

- ...
Legal Issues
Privacy
- No single statue concerning privacy
- Electronic Communication Privacy Act

Entrapment
- Used only ...
Conclusion
 Honeypots are not a solution, they are a
flexible tool with different applications to
security.
 Primary val...
Q&A
Thank you…
Honeypots (Ravindra Singh Rathore)
Upcoming SlideShare
Loading in...5
×

Honeypots (Ravindra Singh Rathore)

1,127

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,127
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
45
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Honeypots (Ravindra Singh Rathore)

  1. 1. HONEYPOTS Monitor your Network By: Ravindra Singh Rathore
  2. 2. THE PROBLEM • The Internet security is hard – New attacks every day – Our Websites are static targets • What should we do? • The more you know about your enemy, the better you can protect yourself • Fake target?
  3. 3. WHAT IS A HONEYPOT A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
  4. 4. WHAT IS A HONEYPOT • A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems • They are the highly flexible security tool with different applications for security. They don't fix a single problem. Instead they have multiple uses, such as prevention, detection, or information gathering
  5. 5. WHAT IS A HONEYPOT • Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise • Used for monitoring, detecting and analyzing attacks
  6. 6. What Honeypots Do
  7. 7. Why we use Honeypots?? Its Different security from Firewall. Firewall only works on System Security. This security works on network layer.
  8. 8. Classification By level of interaction  High  Low
  9. 9. Classification By Implementation  Physical  Virtual
  10. 10. Classification By Purpose  Production  Research
  11. 11. Level of Interaction Low Interaction  Simulates some aspects of the system  Easy to deploy, minimal risk  Limited Information  Honeyd High Interaction  Simulates all aspects of the system: real systems  Can be compromised completely, higher risk  More Information  Honeynet
  12. 12. Low Interaction vs. High Interaction Low-Interaction High-Interaction Installation Easy More difficult Maintenance Easy Time consuming Risk Low High Need Control No Yes Data gathering Limited Extensive Interaction Emulated services Full control
  13. 13. Physical V.S. Virtual Honeypots – Physical • Real machines • Own IP Addresses • Often high-interactive – Virtual • Simulated by other machines that: – Respond to the traffic sent to the honeypots – May simulate a lot of (different) virtual honeypots at the same time
  14. 14. Production HPs: Protect the systems  Prevention  Keeping the bad guys out  Detection  Detecting the burglar when he breaks in.  Great work  Response  Can easily be pulled offline  Little to no data pollution
  15. 15. Research HPs: gathering information      Collect compact amounts of high value information Discover new Tools and Tactics Understand Motives, Behavior, and Organization Develop Analysis and Forensic Skills HONEYNET
  16. 16. Building your HoneyPots  Specifying Goals  Selecting the implementation strategies      Types, Number, Locations and Deployment Implementing Data Capture Logging and managing data Mitigating Risk Mitigating Fingerprint
  17. 17. Information Capturing Mechanisms  Host Based  Network Based  Router/Gateway Based
  18. 18. Information Analysis Mechanisms      Firewall Logs IDS Analysis System Logs Forensics of the Compromised Machine Advanced Forensics of the Compromised Machine
  19. 19. How do HONEYPOTS work?
  20. 20. Location of Honeypots In front of the firewall Demilitarized Zone Behind the firewall (Intranet)
  21. 21. Placement of Honeypot
  22. 22. Honeyd: A virtual honeypot application, which allows us to create thousands of IP addresses with virtual machines and corresponding network services.
  23. 23. Honeypot Advantages  High Data Value - Small Data  Low Resource Cost - Weak or Retired system  Simple Concept, Flexible Implementation  Return on Investment - Proof of Effectiveness  Catch new attacks
  24. 24. Disadvantages  Narrow Field of View  Fingerprinting  Risks? - If being detected? - If being compromised? - If being mis-configured?
  25. 25. Mitigating Risks?  Being Detected? - Anyway honeypots can be detected - Modifying is a good solution, but not perfect - Fingerprinting?  Being Exploited?
  26. 26. Legal Issues Privacy - No single statue concerning privacy - Electronic Communication Privacy Act Entrapment - Used only to defendant to avoid conviction - Applies only to law enforcement? Liability - If a Honeynet system is used to attack or damage other nonhoneynet system?
  27. 27. Conclusion  Honeypots are not a solution, they are a flexible tool with different applications to security.  Primary value in detection and information gathering.  Just the beginning for honeypots.
  28. 28. Q&A
  29. 29. Thank you…

×