Honey Pots
Content
HoneyPots
Submitted By: Bala M.Tech 1st yr. Renu
Problem
• The Internet security is hard
– New attacks every day – Our computers are static targets
• What should we do?
• The more you know about your enemy, the better you can protect yourself • Fake target?
Solutions? Air Attack
Real
Fake
A Detected….
Honeypots?
• Fake Target Resources • Collect Infomation
Definition
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
• Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise • Used for monitoring, detecting and analyzing attacks • Does not solve a specific problem. Instead, they are a highly flexible tool with different applications to security.
Classification
• By level of interaction
• High • Low
• By Implementation
• Virtual • Physical
• By purpose
• Production • Research
Level of Interaction
• Low Interaction
• • • • • • • • Simulates some aspects of the system Easy to deploy, minimal risk Limited Information Honeyd Simulates all aspects of the OS: real systems Can be compromised completely, higher risk More Information Honeynet
• High Interaction
Level of Interaction
Low
Fake Daemon
Operating system
Disk
High
Other local resource
Physical V.S. Virtual Honeypots
• Two types
– Physical
• Real machines • Own IP Addresses • Often high-interactive
– Virtual
• Simulated by other machines that:
– Respond to the traffic sent to the honeypots – May simulate a lot of (different) virtual honeypots at the same time
Production HPs: Protect the systems
• Prevention
• Keeping the bad guys out • not effective prevention mechanisms. • Deception, Deterence, Decoys do NOT work against automated attacks: worms, auto-rooters, mass-rooters
• Detection
• Detecting the burglar when he breaks in. • Great work
• Response
• Can easily be pulled offline • Little to no data pollution
How do HPs work?
Prevent Detect Response Monitor
Attack Data
No connection
Attackers
HoneyPot A
Gateway
Research HPs: gathering information
• Collect compact amounts of high value information • Discover new Tools and Tactics • Understand Motives, Behavior, and Organization • Develop Analysis and Forensic Skills.
Advantages of Honey Pots
• • • • • Small data sets of high value Capture the new tools and tactics Minimal resources Encryption or IPv6 Simplicty
Disadvantages
• Limited view • Risk
Architecture and Working of Honeyd
Architecture and Working of Honeynet
• Data Controls • Data Capture • Data Analysis •Data Collection
Advantages
• • • • High Data Value Low Resource Cost Simple Concept, Flexible Implementation Catch new attacks
Disadvantages
• • • • Violation Disabling Detection Risky
References:
• • • • • • • • http://en.wikipedia.org/wiki/honeypot http://www.honeynet.org www.honeypots.net/ www.honeynet.org/papers/index.html www.awprofessional.com/articles/article.asp www.spitzner.net/honeypots.html www.honeynet.org.papers/cdrom/roo/ www.honeynet.ie.about.html
Submitted By: Bala M.Tech 1st yr. Renu
Problem
• The Internet security is hard
– New attacks every day – Our computers are static targets
• What should we do?
• The more you know about your enemy, the better you can protect yourself • Fake target?
Solutions? Air Attack
Real
Fake
A Detected….
Honeypots?
• Fake Target Resources • Collect Infomation
Definition
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
• Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise • Used for monitoring, detecting and analyzing attacks • Does not solve a specific problem. Instead, they are a highly flexible tool with different applications to security.
Classification
• By level of interaction
• High • Low
• By Implementation
• Virtual • Physical
• By purpose
• Production • Research
Level of Interaction
• Low Interaction
• • • • • • • • Simulates some aspects of the system Easy to deploy, minimal risk Limited Information Honeyd Simulates all aspects of the OS: real systems Can be compromised completely, higher risk More Information Honeynet
• High Interaction
Level of Interaction
Low
Fake Daemon
Operating system
Disk
High
Other local resource
Physical V.S. Virtual Honeypots
• Two types
– Physical
• Real machines • Own IP Addresses • Often high-interactive
– Virtual
• Simulated by other machines that:
– Respond to the traffic sent to the honeypots – May simulate a lot of (different) virtual honeypots at the same time
Production HPs: Protect the systems
• Prevention
• Keeping the bad guys out • not effective prevention mechanisms. • Deception, Deterence, Decoys do NOT work against automated attacks: worms, auto-rooters, mass-rooters
• Detection
• Detecting the burglar when he breaks in. • Great work
• Response
• Can easily be pulled offline • Little to no data pollution
How do HPs work?
Prevent Detect Response Monitor
Attack Data
No connection
Attackers
HoneyPot A
Gateway
Research HPs: gathering information
• Collect compact amounts of high value information • Discover new Tools and Tactics • Understand Motives, Behavior, and Organization • Develop Analysis and Forensic Skills.
Advantages of Honey Pots
• • • • • Small data sets of high value Capture the new tools and tactics Minimal resources Encryption or IPv6 Simplicty
Disadvantages
• Limited view • Risk
Architecture and Working of Honeyd
Architecture and Working of Honeynet
• Data Controls • Data Capture • Data Analysis •Data Collection
Advantages
• • • • High Data Value Low Resource Cost Simple Concept, Flexible Implementation Catch new attacks
Disadvantages
• • • • Violation Disabling Detection Risky
References:
• • • • • • • • http://en.wikipedia.org/wiki/honeypot http://www.honeynet.org www.honeypots.net/ www.honeynet.org/papers/index.html www.awprofessional.com/articles/article.asp www.spitzner.net/honeypots.html www.honeynet.org.papers/cdrom/roo/ www.honeynet.ie.about.html
