Honeypot &Honeynet


     Sina Manavi
Manavi.Sina@gmail.com
Content
• What is Honeypot

• What is Honeynet

• Advantages and Disadvantages of
  Honeypot/net
Definition of Honeypot:
• A Honeypot is an information system resource
  whose value lies in unauthorized or illicit use
  of that resource.

  - Lance Spitzner
Honeypots value:
• Prevention
 prevent automated attacks:(Warms and auto-rooters)

• Detection
 identify a failure or breakdown in prevention

• Response
How Honeypot works:
       Prevent
    Detect
Response                                    No connection    Attackers




                 Attack Data


                               HoneyPot A




                                                   Gateway
Architecture
Honeypot can be placed:
 In front of the firewall (Internet)

 DMZ (DeMilitarized Zone)

 Behind the firewall (intranet)
Honeypot Classification:
By Implementation
     • Virtual
     • Physical
By purpose
     • Production
     • Research
By level of interaction
     • High
     • Low
     • Middle?
Implementation of Honeypot
 Physical
    • Real machines
    • Own IP Addresses
    • Often high-interactive
 Virtual
    • Simulated by other machines that:
        – Respond to the traffic sent to the honeypots
        – May simulate a lot of (different) virtual honeypots at the same
          time
Physical Honeypot vs. Virtual Honeypot

• PH (Real machines, NICs, typically high-interaction)
   – High maintenance cost.
   – Impractical for large address spaces.


• VH (Simulated by other machines)
   – Multiple virtual services and VMs on one machine.
   – Typically it only simulate network level interactions, but
     still able to capture intrusion attempts.
Propose of Honeypot:
Research
     Complex to deploy and maintain.
     Captures extensive information.
     Run by a volunteer(non-profit).
     Used to research the threats organization face.
Production
     Easy to use
     Capture only limited information
     Used by companies or corporations
     Mitigates risks in organization
Interaction Level:
 • Low Interaction



 • High Interaction



Note: Interaction measures the amount of activity an attacker
can have with a honeypot.
Low Interaction vs. High Interaction
                 Low-Interaction     High-Interaction

 Installation          Easy           More difficult

 Maintenance           Easy          Time consuming


     Risk              Low                High


 Need Control           No                 Yes


Data gathering        Limited           Extensive


 Interaction     Emulated services     Full control
Example of Honeypots:
•   Symantec Decoy Server (ManTrap)           High Interaction

•   Honeynets
•   Nepenthes
•   Honeyd
    – (Vitrual honeypot)

• KFSensor
• BackOfficer Friendly      Low Interaction
Honeynet History:
• Informally began in April 1999
• The Honeynet Project officially formed in
  June 2000
• Became a non-profit corporation in
  September 2001.
• Is made up of thirty Volunteer security
  professionals
What is a Honeynet?
• Actual network of computers
• High-interaction honeypot
• Its an architecture, not a product
• Provides real systems, applications, and
  services for attackers to interact with.
• Any traffic entering or leaving is suspect”.
How the Honeynet works?
• Monitoring, capturing, and analyzing all the
  packets entering or leaving through networks.
• All the traffic is entering or leaving through
  the Honeynet is naturally suspect.
Honeynet Evolution
•   1997, DTK (Deception Toolkit)
•   1999, a single sacricial computer,
•   2000, Generation I Honeynet,
•   2003, Generation II Honeynet,
•   2003, Honeyd software
•   2004, Distributed Honeynets, Malware Collector...
•   2009, Dionaea (multi stage payloads, SIP,...)
    Kojoney, Kippo
Architecture Requirements:
• Data Control

• Data Capture
Data Control of the Honeynet
                                    No Restrictions
                                                                  Honeypot
                Internet

                                    No Restrictions



                                                                  Honeypot




                                 No Restrictions



                                                                             Honeypot
     Internet


                                  Honeywall

                     Connections Limited        Packet Scrubbed              Honeypot
Honeynet Generations:
• Gen I:
  –   Simple Methodology, Limited Capability
  –   Highly effective at detecting automated attacks
  –   Use Reverse Firewall for Data Control
  –   Can be fingerprinted by a skilled hacker
  –   Runs at OSI Layer 3

• Gen II:
  – More Complex to Deploy and Maintain
  – Examine Outbound Data and make determination to block, pass,
  or modify data
  – Runs at OSI Layer 2
Advantages and Disadvantages of Honeynet/pots

Advantages :
   Honeypots are focused (small data sets)
   Honeypots help to reduce false positive
   Honeypots help to catch unknown attacks (false negative)
   Honeypots can capture encrypted activity (cf. Sebek)
   Honeypots work with IPv6
   Honeypots are very flexible (advantage/disadvantage?)
   Honeypots require minimal resources
Disadvantages :
   Honeypots field of view limited (focused)
   Risk,
Q&A
Thank you
 1/12/2011

Honeypot honeynet

  • 1.
    Honeypot &Honeynet Sina Manavi Manavi.Sina@gmail.com
  • 2.
    Content • What isHoneypot • What is Honeynet • Advantages and Disadvantages of Honeypot/net
  • 3.
    Definition of Honeypot: •A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. - Lance Spitzner
  • 4.
    Honeypots value: • Prevention prevent automated attacks:(Warms and auto-rooters) • Detection identify a failure or breakdown in prevention • Response
  • 5.
    How Honeypot works: Prevent Detect Response No connection Attackers Attack Data HoneyPot A Gateway
  • 6.
  • 7.
    Honeypot can beplaced:  In front of the firewall (Internet)  DMZ (DeMilitarized Zone)  Behind the firewall (intranet)
  • 8.
    Honeypot Classification: By Implementation • Virtual • Physical By purpose • Production • Research By level of interaction • High • Low • Middle?
  • 9.
    Implementation of Honeypot Physical • Real machines • Own IP Addresses • Often high-interactive Virtual • Simulated by other machines that: – Respond to the traffic sent to the honeypots – May simulate a lot of (different) virtual honeypots at the same time
  • 10.
    Physical Honeypot vs.Virtual Honeypot • PH (Real machines, NICs, typically high-interaction) – High maintenance cost. – Impractical for large address spaces. • VH (Simulated by other machines) – Multiple virtual services and VMs on one machine. – Typically it only simulate network level interactions, but still able to capture intrusion attempts.
  • 11.
    Propose of Honeypot: Research  Complex to deploy and maintain.  Captures extensive information.  Run by a volunteer(non-profit).  Used to research the threats organization face. Production  Easy to use  Capture only limited information  Used by companies or corporations  Mitigates risks in organization
  • 12.
    Interaction Level: •Low Interaction • High Interaction Note: Interaction measures the amount of activity an attacker can have with a honeypot.
  • 13.
    Low Interaction vs.High Interaction Low-Interaction High-Interaction Installation Easy More difficult Maintenance Easy Time consuming Risk Low High Need Control No Yes Data gathering Limited Extensive Interaction Emulated services Full control
  • 14.
    Example of Honeypots: • Symantec Decoy Server (ManTrap) High Interaction • Honeynets • Nepenthes • Honeyd – (Vitrual honeypot) • KFSensor • BackOfficer Friendly Low Interaction
  • 15.
    Honeynet History: • Informallybegan in April 1999 • The Honeynet Project officially formed in June 2000 • Became a non-profit corporation in September 2001. • Is made up of thirty Volunteer security professionals
  • 16.
    What is aHoneynet? • Actual network of computers • High-interaction honeypot • Its an architecture, not a product • Provides real systems, applications, and services for attackers to interact with. • Any traffic entering or leaving is suspect”.
  • 17.
    How the Honeynetworks? • Monitoring, capturing, and analyzing all the packets entering or leaving through networks. • All the traffic is entering or leaving through the Honeynet is naturally suspect.
  • 18.
    Honeynet Evolution • 1997, DTK (Deception Toolkit) • 1999, a single sacricial computer, • 2000, Generation I Honeynet, • 2003, Generation II Honeynet, • 2003, Honeyd software • 2004, Distributed Honeynets, Malware Collector... • 2009, Dionaea (multi stage payloads, SIP,...) Kojoney, Kippo
  • 19.
    Architecture Requirements: • DataControl • Data Capture
  • 20.
    Data Control ofthe Honeynet No Restrictions Honeypot Internet No Restrictions Honeypot No Restrictions Honeypot Internet Honeywall Connections Limited Packet Scrubbed Honeypot
  • 21.
    Honeynet Generations: • GenI: – Simple Methodology, Limited Capability – Highly effective at detecting automated attacks – Use Reverse Firewall for Data Control – Can be fingerprinted by a skilled hacker – Runs at OSI Layer 3 • Gen II: – More Complex to Deploy and Maintain – Examine Outbound Data and make determination to block, pass, or modify data – Runs at OSI Layer 2
  • 22.
    Advantages and Disadvantagesof Honeynet/pots Advantages : Honeypots are focused (small data sets) Honeypots help to reduce false positive Honeypots help to catch unknown attacks (false negative) Honeypots can capture encrypted activity (cf. Sebek) Honeypots work with IPv6 Honeypots are very flexible (advantage/disadvantage?) Honeypots require minimal resources Disadvantages : Honeypots field of view limited (focused) Risk,
  • 23.
  • 24.