Honey pots are an exciting new technology.
They allow us to turn the tables on the bad guys.
A honeypot is used in the area of
computer and Internet security. It is a resource, which is intended to be
attacked and computerized to gain more information about the attacker, and used
tools. Our discussion in this paper is to show the possibilities of Honeypots
and their use in research as well as productive environment.
Compared to an intrusion detection
system, honey pots have the big advantage that they do not generate false
alerts as each observed traffic is suspicious, because no productive components
are running in the system.
INTRODUCTION
Global communication is getting
more important every day. At the same time, computer crimes increasing. Counter
measures are developed to detect or prevent attacks-most of these measures are
based on known facts, known attack patterns. As in the military, it is
important to know, who your enemy is, what kind of strategy he uses, what tools
he utilizes and what he is aiming for. Gathering this kind of information is
not easy but important. By knowing attack strategies, countermeasures can be
improved and vulnerabilities can be fixed. To gather as much information as
possible is one main goal of honeypot.
A honeypot is primarily an
instrument for the information gathering and learning. Its primary purpose is
not to be ambush for the blackhat community to catch them in action and to
press charges against them. The lies on silent collection of as much
information as possible about their attack patterns, used programs, purpose of
attack and blackhat community itself.
Honeypots are not the perfect solution
for solving or preventing computer crimes. Honeypots are hard to maintain and
they need the good knowledge about the operating systems and network security.
In the right hands honeypot is effective tool for the information gathering. In
the wrong, inexperienced hands, a honeypot can become another infiltrated
machine and an instrument for the black hat community.
HONEYPOT BASICS
A honeypot is a resource whose
value is being in attacked and compromised. This means, that a honeypot is
expected to get probed, attacked and potentially exploited.
Honeypot
do not fix anything. They provide us additional, valuable information.
A
honeypot is expected to be attacked or compromised. The main goals are the
distraction of an attacker and the gain of the information about the attack and
the attacker.
Value of honey
pots:
There
are two categories of Honeypots.
Ø Production
Honeypots
Ø Research
Honeypots
A production honeypot is used to
help migrate risk in an organization while the second category, is meant to
gather as much information as possible. These Honeypots do not add any security
value to an organization but they can help to understand the blackhat community
and their attacks as well as to build some better defenses against security
threats. A properly constructed honeypot is put on a network, which closely
monitors the traffic to and from the honeypot. This data can be used for a
variety of purposes.
Ø Forensicsàanalyzing new attacks and exploits
Ø Trend analysisàlook for changes over time of types of
attacks, techniques, etc
Ø Identificationàtracks the bad guys back to their home
machines to figure out who they are.
Ø Sociologyàlearns about the bad guys as a group by
snooping on email, IRC traffic, etc which happens to traverse the honeypot.
In general every traffic from
and to a honeypot is unauthorized activity. All the data that is collected by a
honeypot is therefore interested data. Data collected by the honeypot is of
high value, and can lead to better understanding and knowledge which in turn
can help to increase overall network security.
One can also argue that a honeypot can be used
for prevention because it can deter attackers from attacking other systems by
occupying them long enough and bind their resources.
CONCEPTUAL DETAILS
Low-involvement honey: A low-level involvement honeypot typically
only provides certain fake services. In a basic form, these services could be
implemented by having a listener on specific port.
In
such a way, all incoming traffic can easily be recognized and stored. With such
a simple solution it is not possible to catch communication of complex
protocols. On a low-level honeypot there is no real operating system that
attacker can operate on.
This will minimize the risk
significantly because the complexity of an operating system is eliminated. On
the other hand, this is also disadvantage. It is not possible to watch an
attacker interacting with operating system, which could be really interesting.
A low-level honeypot is like one-way connection. We only listen; we do not ask
any questions.
Mid-involvement honeypot A mid-involvement
honeypot provides more to interact with but still does not provide a real
underlying operating system. The fake daemons are more sophisticated and have
deeper knowledge about the specific services they provide. At the same moment,
the risk increases. The probability that attacker can find a security hole or
vulnerability is getting bigger because the complexity of honeypot is
increasing.
Through the higher level of
interaction, more complexity attacks are possible and can therefore be logged
and analyzed. The attacker gets a better illusion of a real operating system.
He has more possibilities to interact and probe the system. Developing a
mid-involvement honeypot is complex and time consuming. Special care has to be
taken for security check as all developed fake daemons needs to be as secure as
possible.
High-involvement honeypot A
high-involvement honeypot has a real underlying operating system. This leads to
much higher risk as the complexity increases rapidly. At the same time, the
possibilities to gather the information, the possible attacks as well as the
attractiveness increase a lot. As soon as a hacker has gained access, his real
work and therefore the interesting part begins.
A high-involvement honeypot is very time
consuming. The system should be constantly under surveillance. A honeypot which
is not under control is not of much help even become a danger or security hole
itself. It is very important to limit a honey pot’s access to local intranet,
as the honeypot can be used by black hats as if it was a real compromised
system. Limiting outbound traffic is also important point to consider, as the
danger once a system is fully compromised can be reduced.
By providing a full
operating system to attacker, he has the possibilities to upload and install
new files. This is where the high-involvement honeypot can show its strength,
as all its actions can be recorded and analyzed.
HONEYPOT
LOCATION
A honeypot does not need a certain
surrounding environment, as it is a standard server with no special needs. A
honeypot can be placed anywhere a server could be placed. But certainly, some
places are better for certain approaches as others.
A honeypot can be used on the Internet as well as the intranet, based on
the needed service. Placing a honeypot on the intranet can be useful if the
detection of some bad guys inside a private network is wished. If the main
concern is the Internet, a honeypot can be placed at two locations:
1. In front of firewalls (Internet)
2. DMZ
3. behind the firewall (Intranet)
In front
of firewalls: By placing the honeypot in front of
firewall the risk for the internal works does not increases. A honeypot will
attract and generate lot of unwished traffic like port scans or attack
patterns. By placing a honeypot outside the firewall, such events do not get
logged by the firewall and an internal IDS system will not generate alerts.
Otherwise a lot of alerts would be generated on the firewall or IDS.
Probably the biggest advantage is that
the firewall or IDS. Running a honeypot does therefore not increase the dangers
for the internal network nor does it introduce new risks.
DMZ: Placing
a honeypot inside DMZ seems a good solution as long as the other systems inside
the DMZ can be secured against the honeypot
Most DMZs are not fully accessible as only
needed services are allowed to pass the firewall. In such a case, placing the
honeypot in front of the firewall should be favored as opening all
corresponding ports on the fire is too time consuming and risky.
Behind
the firewall:
A honeypot behind a firewall can introduce new security risks to the internal
network, especially if the internal network is not secured against the honeypot
through additional firewalls. This could be a special problem if the Ips is
used for authentication.
By placing the honeypot behind a
firewall, it is inevitable to adjust the firewall rules if access from internet
should be permitted. The biggest problem arises as soon as the internal
honeypot is compromised by an external attacker. He gains the possibility to
access the internal network through the honeypot.
This traffic will be unstopped by the
firewall as it is regarded as traffic to the honeypot only, which in turn is
granted. Securing an internal honeypot is therefore mandatory, especially if it
is a high-involvement honeypot. The main reason for placing a honeypot behind a
firewall could be to detect internal attackers.
The best solution would be to
run a honeypot in its own DMZ, therefore with a preliminary firewall. The
firewall could be connected directly to the internet or intranet, depending on
the goal. This attempt enables tight control as well as flexible environment
with maximal security.
HOST BASED INFORMATION GATHERING
This section will discussion possibilities that offer gain of information about
ongoing on a honeypot by installing information gathering mechanisms on the
honeypot itself.
BASIC
POSSIBILITIES Information gathering facilities can
basically be grouped into two categories; facilities that generate streams of
information and facilities that offer the information to peek into the system
and get the information about a certain state of the honeypot.
Microsoft windows One could think the
large amount of observed attacks on systems running ms windows operating system
makes them ideal for the honeypot, but unfortunately the structure of this
operating system makes the data gathering rather difficult.
Until today the source code of the
operating system of Microsoft is not freely available, which means that changes
to the operating system are very hard to achieve.
UNIX derivates UNIX derivatives
operating system offers interesting opportunities for deploying data gathering
mechanisms since all of their components are available as source code.
Network based Information Gathering:
Host based information gathering is always located at the host itself and is
therefore vulnerable to detection and once detected it can also be disabled.
Network based information gathering does not have to be located on the honeypot
itself. It can also be implemented in an invisible way, as network traffic only
gets analyzed but not manipulated. Network based information gathering is safer
as it is harder to be detected and quiet impossible to disable.
ATTRACTIVENESS
Being the owner of a honeypot
can be an interesting experience, but what if the members of the blackhat
community do not find their way to the honeypot or, even more dramatically, are
not interested in the honeypot at all.
Another
approach to lure attackers is the offering of the interesting services on the
honeypot. Of course the question arises, what an interesting services is or what
it should look like.
ADVANTAGES
Ø Small Data setsàHoneypots only collect attack or
unauthorized activity, dramatically reducing the amount of data they collect.
Organizations that may log thousands of alerts a day may only log a hundred
alerts with Honeypots. This makes the data Honeypots collect much easier to
manage and analyze.
Ø PositivesàHoneypots dramatically reduce false
alerts, as they only capture unauthorized activity.
Ø NegativesàHoneypots can easily identify and
capture new attacks never seen before.
Ø Minimal resources
CONCLUSION
Honeypot
is not a solution to network security but a good tool supplements other security
technologies to form an alternative active defense system for network security.
Working with IDS and firewall, Honeypot provides new way t o attacks prevention, detection and reaction. A honeypot is just a tool. How you use
that tool is up to you. There are a variety of honeypot options, each having
different value to organizations.
REFERENCES
IEEE
International Conference on Systems, Man, and Cybernetics,pp. 2275-2280,Oct.
http://www.cert.org/reports/dsitribution
No comments:
Post a Comment