0
Honeypot &Honeynet     Sina ManaviManavi.Sina@gmail.com
Content• What is Honeypot• What is Honeynet• Advantages and Disadvantages of  Honeypot/net
Definition of Honeypot:• A Honeypot is an information system resource  whose value lies in unauthorized or illicit use  of...
Honeypots value:• Prevention prevent automated attacks:(Warms and auto-rooters)• Detection identify a failure or breakdown...
How Honeypot works:       Prevent    DetectResponse                                    No connection    Attackers         ...
Architecture
Honeypot can be placed: In front of the firewall (Internet) DMZ (DeMilitarized Zone) Behind the firewall (intranet)
Honeypot Classification:By Implementation     • Virtual     • PhysicalBy purpose     • Production     • ResearchBy level o...
Implementation of Honeypot Physical    • Real machines    • Own IP Addresses    • Often high-interactive Virtual    • Simu...
Physical Honeypot vs. Virtual Honeypot• PH (Real machines, NICs, typically high-interaction)   – High maintenance cost.   ...
Propose of Honeypot:Research     Complex to deploy and maintain.     Captures extensive information.     Run by a volun...
Interaction Level: • Low Interaction • High InteractionNote: Interaction measures the amount of activity an attackercan ha...
Low Interaction vs. High Interaction                 Low-Interaction     High-Interaction Installation          Easy      ...
Example of Honeypots:•   Symantec Decoy Server (ManTrap)           High Interaction•   Honeynets•   Nepenthes•   Honeyd   ...
Honeynet History:• Informally began in April 1999• The Honeynet Project officially formed in  June 2000• Became a non-prof...
What is a Honeynet?• Actual network of computers• High-interaction honeypot• Its an architecture, not a product• Provides ...
How the Honeynet works?• Monitoring, capturing, and analyzing all the  packets entering or leaving through networks.• All ...
Honeynet Evolution•   1997, DTK (Deception Toolkit)•   1999, a single sacricial computer,•   2000, Generation I Honeynet,•...
Architecture Requirements:• Data Control• Data Capture
Data Control of the Honeynet                                    No Restrictions                                           ...
Honeynet Generations:• Gen I:  –   Simple Methodology, Limited Capability  –   Highly effective at detecting automated att...
Advantages and Disadvantages of Honeynet/potsAdvantages :   Honeypots are focused (small data sets)   Honeypots help to re...
Q&A
Thank you 1/12/2011
Upcoming SlideShare
Loading in...5
×

Honeypot honeynet

4,920

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,920
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
452
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Honeypot honeynet"

  1. 1. Honeypot &Honeynet Sina ManaviManavi.Sina@gmail.com
  2. 2. Content• What is Honeypot• What is Honeynet• Advantages and Disadvantages of Honeypot/net
  3. 3. Definition of Honeypot:• A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. - Lance Spitzner
  4. 4. Honeypots value:• Prevention prevent automated attacks:(Warms and auto-rooters)• Detection identify a failure or breakdown in prevention• Response
  5. 5. How Honeypot works: Prevent DetectResponse No connection Attackers Attack Data HoneyPot A Gateway
  6. 6. Architecture
  7. 7. Honeypot can be placed: In front of the firewall (Internet) DMZ (DeMilitarized Zone) Behind the firewall (intranet)
  8. 8. Honeypot Classification:By Implementation • Virtual • PhysicalBy purpose • Production • ResearchBy level of interaction • High • Low • Middle?
  9. 9. Implementation of Honeypot Physical • Real machines • Own IP Addresses • Often high-interactive Virtual • Simulated by other machines that: – Respond to the traffic sent to the honeypots – May simulate a lot of (different) virtual honeypots at the same time
  10. 10. Physical Honeypot vs. Virtual Honeypot• PH (Real machines, NICs, typically high-interaction) – High maintenance cost. – Impractical for large address spaces.• VH (Simulated by other machines) – Multiple virtual services and VMs on one machine. – Typically it only simulate network level interactions, but still able to capture intrusion attempts.
  11. 11. Propose of Honeypot:Research  Complex to deploy and maintain.  Captures extensive information.  Run by a volunteer(non-profit).  Used to research the threats organization face.Production  Easy to use  Capture only limited information  Used by companies or corporations  Mitigates risks in organization
  12. 12. Interaction Level: • Low Interaction • High InteractionNote: Interaction measures the amount of activity an attackercan have with a honeypot.
  13. 13. Low Interaction vs. High Interaction Low-Interaction High-Interaction Installation Easy More difficult Maintenance Easy Time consuming Risk Low High Need Control No YesData gathering Limited Extensive Interaction Emulated services Full control
  14. 14. Example of Honeypots:• Symantec Decoy Server (ManTrap) High Interaction• Honeynets• Nepenthes• Honeyd – (Vitrual honeypot)• KFSensor• BackOfficer Friendly Low Interaction
  15. 15. Honeynet History:• Informally began in April 1999• The Honeynet Project officially formed in June 2000• Became a non-profit corporation in September 2001.• Is made up of thirty Volunteer security professionals
  16. 16. What is a Honeynet?• Actual network of computers• High-interaction honeypot• Its an architecture, not a product• Provides real systems, applications, and services for attackers to interact with.• Any traffic entering or leaving is suspect”.
  17. 17. How the Honeynet works?• Monitoring, capturing, and analyzing all the packets entering or leaving through networks.• All the traffic is entering or leaving through the Honeynet is naturally suspect.
  18. 18. Honeynet Evolution• 1997, DTK (Deception Toolkit)• 1999, a single sacricial computer,• 2000, Generation I Honeynet,• 2003, Generation II Honeynet,• 2003, Honeyd software• 2004, Distributed Honeynets, Malware Collector...• 2009, Dionaea (multi stage payloads, SIP,...) Kojoney, Kippo
  19. 19. Architecture Requirements:• Data Control• Data Capture
  20. 20. Data Control of the Honeynet No Restrictions Honeypot Internet No Restrictions Honeypot No Restrictions Honeypot Internet Honeywall Connections Limited Packet Scrubbed Honeypot
  21. 21. Honeynet Generations:• Gen I: – Simple Methodology, Limited Capability – Highly effective at detecting automated attacks – Use Reverse Firewall for Data Control – Can be fingerprinted by a skilled hacker – Runs at OSI Layer 3• Gen II: – More Complex to Deploy and Maintain – Examine Outbound Data and make determination to block, pass, or modify data – Runs at OSI Layer 2
  22. 22. Advantages and Disadvantages of Honeynet/potsAdvantages : Honeypots are focused (small data sets) Honeypots help to reduce false positive Honeypots help to catch unknown attacks (false negative) Honeypots can capture encrypted activity (cf. Sebek) Honeypots work with IPv6 Honeypots are very flexible (advantage/disadvantage?) Honeypots require minimal resourcesDisadvantages : Honeypots field of view limited (focused) Risk,
  23. 23. Q&A
  24. 24. Thank you 1/12/2011
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×