This document discusses honeypots, which are decoy systems used to gather information about cyber attacks. Honeypots have no production value and anything accessing them is likely an unauthorized probe or attack. They are used to monitor networks for security threats without disrupting normal operations. Honeypots can be classified based on their level of interaction, implementation (physical or virtual), and purpose (production systems or research). They provide valuable security benefits like detecting intruders and gathering threat intelligence, but also have disadvantages like risks of being compromised.

1. HONEYPOTS
Monitor your Network
By:
Ravindra Singh Rathore

3. THE PROBLEM
• The Internet security is hard
– New attacks every day
– Our Websites are static targets
• What should we do?
• The more you know about your enemy, the better you can
protect yourself
• Fake target?

4. WHAT IS A HONEYPOT
A honeypot is an information system
resource whose value lies in
unauthorized or illicit use of that
resource.

5. WHAT IS A HONEYPOT
• A honeypot is a trap set to detect, deflect, or
in some manner counteract attempts at
unauthorized use of information systems
• They are the highly flexible security tool
with different applications for security. They
don't fix a single problem. Instead they have
multiple uses, such as prevention, detection, or
information gathering

6. WHAT IS A HONEYPOT
• Has no production value; anything going
to/from a honeypot is likely a probe, attack or
compromise
• Used for monitoring, detecting and analyzing
attacks

7. What Honeypots Do

8. Why we use Honeypots??
Its Different security from Firewall.
Firewall only works on System Security.
This security works on network layer.

9. Classification
By level of interaction
 High
 Low

10. Classification
By Implementation
 Physical
 Virtual

11. Classification
By Purpose
 Production
 Research

12. Level of Interaction
Low Interaction
 Simulates some aspects of the system
 Easy to deploy, minimal risk
 Limited Information
 Honeyd
High Interaction
 Simulates all aspects of the system: real systems
 Can be compromised completely, higher risk
 More Information
 Honeynet

13. Low Interaction vs. High Interaction
Low-Interaction
High-Interaction
Installation
Easy
More difficult
Maintenance
Easy
Time consuming
Risk
Low
High
Need Control
No
Yes
Data gathering
Limited
Extensive
Interaction
Emulated services
Full control

14. Physical V.S. Virtual Honeypots
– Physical
• Real machines
• Own IP Addresses
• Often high-interactive
– Virtual
• Simulated by other machines that:
– Respond to the traffic sent to the honeypots
– May simulate a lot of (different) virtual honeypots at the
same time

15. Production HPs: Protect the systems
 Prevention
 Keeping the bad guys out
 Detection
 Detecting the burglar when he breaks in.
 Great work
 Response
 Can easily be pulled offline
 Little to no data pollution

16. Research HPs: gathering information





Collect compact amounts of high value information
Discover new Tools and Tactics
Understand Motives, Behavior, and Organization
Develop Analysis and Forensic Skills
HONEYNET

17. Building your HoneyPots
 Specifying Goals
 Selecting the implementation strategies





Types, Number, Locations and Deployment
Implementing Data Capture
Logging and managing data
Mitigating Risk
Mitigating Fingerprint

18. Information Capturing Mechanisms
 Host Based
 Network Based
 Router/Gateway Based

19. Information Analysis Mechanisms





Firewall Logs
IDS Analysis
System Logs
Forensics of the Compromised Machine
Advanced Forensics of the Compromised Machine

20. How do HONEYPOTS work?

21. Location of Honeypots
In front of the
firewall
Demilitarized
Zone
Behind the
firewall (Intranet)

22. Placement of Honeypot

23. Honeyd: A virtual honeypot application, which allows us to create
thousands of IP addresses with virtual machines and
corresponding network services.

24. Honeypot Advantages
 High Data Value
- Small Data
 Low Resource Cost
- Weak or Retired system
 Simple Concept, Flexible Implementation
 Return on Investment
- Proof of Effectiveness
 Catch new attacks

25. Disadvantages
 Narrow Field of View
 Fingerprinting
 Risks?
- If being detected?
- If being compromised?
- If being mis-configured?

26. Mitigating Risks?
 Being Detected?
- Anyway honeypots can be detected
- Modifying is a good solution, but not perfect
- Fingerprinting?
 Being Exploited?

27. Legal Issues
Privacy
- No single statue concerning privacy
- Electronic Communication Privacy Act
Entrapment
- Used only to defendant to avoid conviction
- Applies only to law enforcement?
Liability
- If a Honeynet system is used to attack or damage other nonhoneynet system?

28. Conclusion
 Honeypots are not a solution, they are a
flexible tool with different applications to
security.
 Primary value in detection and information
gathering.
 Just the beginning for honeypots.

29. Q&A

30. Thank you…