2. Computer Network Security 2
Agenda
What are honeypots
What honeypots are not
Advantages and disadvantages
Comparison of products
Honeyd
Honeynets
3. Computer Network Security 3
Honeypots
“The secret to good defence is good offence”
Unlike firewalls or Intrusion Detection Systems,
honeypots do not solve a specific problem.
Instead, they are a highly flexible tool that comes in many
shapes and sizes. They can do everything from detecting
encrypted attacks in IPv6 networks to capturing the latest
in on-line credit card fraud.
Its is this flexibility that gives honeypots their true power.
“A security resource whose value lies in being probed,
attacked or compromised”
(Larry Spitzner)
They are a resource that has no authorized activity, they do
not have any production value.
4. Computer Network Security 4
Honeypots:
Theoreticlly, a honeypot should see no traffic
because it has no legitimate activity. This means
any interaction with a honeypot is most likely
unauthorized or malicious activity.
Any connection attempts to a honeypot are most
likely a probe, attack, or compromise.
A tool for:
Detecting attackers
Observing and monitoring attack methods
Potentially trapping a prospective attacker
Providing early warning of attacker
Can capture known as well as unknown attacks.
5. Computer Network Security 5
Honeypots: what they are not
A security fix
A barrier to attacks
A substitute for securing your host and
network
6. Computer Network Security 6
Advantages
Small data sets of high value:
Honeypots collect small amounts of information.
Instead of logging a one GB of data a day, they can log
only one MB of data a day. Instead of generating
10,000 alerts a day, they can generate only 10 alerts a
day.
As such, honeypots reduce 'noise' by collectin only
small data sets, but information of high value
Minimal resources:
Honeypots require minimal resources, they only
capture bad activity.
This means an old Pentium computer with 128MB of
RAM can easily handle an entire class B network
7. Computer Network Security 7
Advantages
Encryption or IPv6:
Unlike most security technologies (such as IDS
systems) honeypots work fine in encrypted or IPv6
environments.
It does not matter what the bad guys throw at a
Honeypot, the Honeypot will detect and capture it.
Simplicity:
Finally, honeypots are conceptually very simple.
There are no fancy algorithms to develop, state tables
to maintain, or signatures to update.
8. Computer Network Security 8
Disadvantages
Value if not attacked:
None
Limited view:
Honeypots can only track and capture activity
that directly interacts with them.
Honeypots will not capture attacks against
other systems
Fingerprinting:
an incorrectly implemented honeypot can
identify itself and others
10. Computer Network Security 10
Honeyd
Open source
Runs on Unix
Low interaction
Emulated services to deceive attacker and
capture activity
Highly customizable (open source)
Detects activity on any TCP port
Can monitor millions of non-existent IP
addresses
11. Computer Network Security 11
Honeyd
Can simultaneously assume IP addresses of
thousands of victims and actively interact with
attackers (has been tested with 60,000)
Can emulate many different OSs at the same time
(Specter can emulate 13 different OSs, but only
one at a time)
Emulates not only OS but also the proper TCP/IP
stack unlike BOF and Specter
12. Computer Network Security 12
Honeyd Disadvantages
Only TCP services, not UDP
ICMP, echo request and response only
14. Computer Network Security 14
Honeynets
Honeynets are a prime example of high-interaction
honeypot
Honeynets are an architecture, an entire network of
Honeypots.
Due to the size of a production network and the
amount of traffic, extensive logging can not be
deployed
We can use honeynets instead
A network of actual systems running real operating
systems
Not a single product but composed of multiple
technologies and tools
15. Computer Network Security 15
Honeynets
Data control:
managing or tracking traffic to and from a honeynet. You
don’t want complaints about malicious activity from your
honeynet.
But we don’t want attackers to know that they are in a
controlled environment either
Techniques for data control:
• Connection control: limit the outbound connections
• Bandwidth control: set a limit on the bandwidth
Data capture:
logging of entire attacker activity
16. Computer Network Security 16
Honeynets
Data collection:
collecting data from multiple honeynets to a central
location
Honeynet architectures:
Gen I
Gen II
17. Computer Network Security 17
Gen I Honeynets
Simple architecture
Simple data capture and data control
techniques make it detectable by attackers
sometimes
Places a layer 3 firewall in front of the
honeynet for data control and capture.
Logs are available from multiple levels:
Firewall logs
IDS logs
System logs
18. Computer Network Security 18
Gen II Honeynets
Gateway is layer 2 device which makes it
harder to detect
Firewall works in bridge mode
Also has IPS capability
Sebek client/server tool which is a kernel
module for logging to a remote syslog
server using UDP and hides its activity
from the attacker
Also have data collection capability
Also provide alerts when an attack occurs