4. Evolution of Honey Pots
Firewalls
Early 90’s
Must have – deployed before anything else
Intrusion Detection System (IDS)
Mid to late 90’s
We can’t guard everything, so let’s watch the network
for suspicious traffic
Honeypots
Early 2000
Not only do we want to know when the black hats are
attacking, but also answer the question, Why?
Let’s learn rather than just react
5. Concept of Honeypots
A security resource who’s value lies in being
probed, attacked or compromised
Has no production value; anything going to from
a honeypot is likely a probe, attack or
compromise
Used for monitoring, detecting and analyzing
attacks
A honeypot is an information system resource
whose value lies in unauthorized or illicit use of
that resource.(Sorce:-Tracking-Hackers Paper)
6. Why we Use Honey Pots?
An additional layer of security
Its is different security from Firewall.
Firewall only work upon system security.
This security work on the Network Layer.
7. Honeypots
• A server that is configured to
detect an intruder by mirroring a
real production system.
• It appears as an ordinary server
doing work, but all the data and
transactions are phony.
• Located either in or outside the
firewall, the honeypot is used to
learn about an intruder's
techniques as well as determine
vulnerabilities in the real system.
• Set to detect, deflect, or in some
manner counteract attempts at
unauthorized use of information
systems.
8. Types of Honeypots
• Generally speaking there are two .
different types of Honeypots:
Production Honeypots and
Research Honeypots
• Production Honeypots are used
primarily by companies or
corporations to improve their
overall state of security.
• Research Honeypots are used
primarily by non-profit research
organizations or educational
institutions to research the threats
organizations face and learn how to
better protect against those
threats.
9. Working of Honey Pots(using Snort)
Snort Description
Open Source Network
Intrusion Prevention and
Detection System. It uses a
rule-based language combining
signature, protocol and anomaly
inspection methods.
the most widely deployed
intrusion detection and
prevention technology and it has
become the de facto standard
technology worldwide in the
industry.
Only Snort is working on
Windows environment System.
10. Working of Snort(IDS)
IDS
Invisible SNORT Monitor
Promiscuous mode
Two SNORT Sessions
Session 1 Signature Analysis Monitoring
Session 2 Packet Capture DATA CAPTURE
13. Level of Interaction
• Level of Interaction determines amount of
functionality a honeypot provides.
• The greater the interaction, the more you can
learn.
• The greater the interaction, the more complexity
and risk.
• Chance that an attacker can use your honeypot to
harm, attack, or infiltrate other systems or
organizations
14. Low Interaction
• Provide Emulated Services
• No operating system for attacker to
access.
• Information limited to transactional
information and attackers activities with
emulated services
• Some of low interaction tools are
Honeyed ,spector.
15. High Interaction
• Provide Actual Operating Systems
• Learn extensive amounts of information.
• Extensive risk.
• Some of high level tools are Honeynets.
• Honeynets is a kind of HoneyPot project which are
developing and testing stage.
17. Advantages
● Fidelity – Information of high value
• Encryption or IPv6
• New tools and tactics
• Simple concept
• Not resource intensive
• Return on Investment
18. Disadvantages
● Labor/skill intensive
● Risk
● Limited field of view
● Does not protect vulnerable systems
19. Today's honeypots
• Military, government
organizations, security companies
applying the technologies
• Primarily to identify threats and learn more
about them
• Commercial application increasing
everyday
20. Future of Honey Pots
• Honeypots are now where firewalls were eight years
ago
• Beginning of the “hype curve”5
• Enhanced policy enforcement capabilities
• Advance development in Open Source solutions
• Integrated firewall/IDS/honeypot appliances