THE HONEYPOT

CONTENTS
Introduction What is honeypot? Advantages Disadvatages Types Architecture Deployment procedures Legal issues Summary references

INTRODUCTION
The best defense of our security is to have best offense The idea behind the honeypot is to create a virtual or in some scenario a real system, put the system visible to the attackers so that they can compromised and probe. The system will keep track of the activities and later the logged information is analyzed to make sure the production services and network are secured with new threats.

What is a Honeypot?

Lance Spitzner A honeypot is a security resource whose

value lies in being probed, attacked, or compromised

Honeypot Overview
HoneyPots are not a single tool but a highly flexible technology.

HoneyPots come in variety of shapes and sizes.

HoneyPots have a variety of values.

Values of honeypot
The main value of honeypot lies on being attacked so that the administraor can study their attacks and kinds of attacks Honeypots are apply to three areas of security Prevention Detection Reaction

Advantages
Small data sets of high value Very flexible
does not rely on a fixed database. Allows the detection of new and unknown methods and tools

Minimal resources
Honeypot typically dosnt have problems of resources exhaustion

Simple
Honeypots are simple to install and maintain

Disadvantages Limited view

A Honeypot can observe only interaction with itself. It is not a sniffer and cannot log actions against other functional systems in the network

Risk
Some introduce very little risk, while others give the attacker entire platforms from which to launch new attacks. Risk is variable, depending on how one builds and deploys the honeypot.

Classifications of Honeypots
Classification is based on their deployment and based on their level of involvement Production honeypots Research honeypots

Production Honeypots
Mitigates risks in organization Adds valuue to the security measures of an organisation Job is to detect and deal with bad guys Easy to use Capture only limited information Used by commercial organisations to help to protect their networks

Research Honeypots
Give us the platform to study the threats. The jog is to gain information of bad guys Complex to deploy and maintain. Captures extensive information.
organizations such as universities, government, military, or security research organizations use them.

Classification is based on their interaction with the intruder Low-interaction High-interaction

Note: Interaction measures the amount of activity an attacker can have with a honeypot.

Low-Interaction Honeypots
Give outsider as much as less number of activity to perform on the system.

Limited number of access and interaction with operating systems. Easier to deploy and maintain.
Less risky as hackers wont have much to ineract to the main os Can be easily detected by experience hackers

High-Interaction Honeypots
The main objective is to do full study of the attackers. They involve real operating systems and applications. They are complex to implement Extensive amount of information is captured.

But what good is it?

Collect data
Allows researching attackers methods and tools and developing counter-tools.

Prevention
Sticky Honeypots slow down scanning capabilities of attackers by slow response times If the usage of Honeypots is publicly known it might deter hackers from attacking the network for fear of being caught

Detection and Response

If a Honeypot detects suspicious activity it can send an e-mail or sms to a network administrator A Honeypot is a non essential system, so taking it offline in order to analyze damage done by an attack will be less harmful and disruptive to the functionality of the network

Our Solution
The path to implementation

Implement

Honeypot Architecture
The program is divided into two main applications.
GUI Allows an easy way of starting and stopping the servers, searching through collected data and displaying statistics Honeypot_Core Creates and maintains the servers. Collects the data from the users and updates the databases

How do HPs work?

Prevent Detect Response Monitor No connection
Attackers

Attack Data

HoneyPot A

Gateway

Honeypot Architecture
Block Diagram

Honeypot Core

Medium (WinSock)

GUI

HTTP Server

Telnet Server

Malicious String DB

HTTP Transactions DB

Telnet Login DB

Honeypot Architecture
Communication between GUI and core is done over Winsock Why Winsock? Answer:
We wanted to allow for the expansion of the deployment scheme. Suppose you want to run multiple instances of the core on different computers. Using Winsock allows running the GUI on one machine while controlling others over the network

Deplyoment procedures
Deploying a physical Honeypot can be very time intensive and expensive as different operating systems may require specialized hardware. Additionally, every Honeypot requires its own physical system and numerous configuration settings. Below are some generalized steps used to deploy a basic Honeypot.

Select Hardware for the Host

finding a machine that you are willing to sacrifice for the cause of being exploited, hacked and potentially purged of all data. This can be any computer capable

of running the software for data capture and control.

 Operating system installation

includes either making the necessary modifications to the current Operating System or performing a clean installation of a base operating system onto the machine.

Network architecture
involves determining strategic network architecture designed to capture, log, and prevent unauthorized access to other machines on your LAN, as well as capture data to analyze. You want to strategically place and connect your network devices so that there are defined areas of your network where intruder traffic is expected and where intruder traffic is not allowed.

Legal issues
There are three main issues that are commonly discussed:
Liability Privacy Entrapment

Summery
Honeypots are good resources for tracing hackers. The value of Honeypots is in being Hacked. Honeypots have their own pros and cons and this technology is still developing.

REFRENCES
http://project.honeynet.org/papers/honeyn et/ . www.securityfocus.com http://www.honeypots.com http://www.spitzner.net Title : Understanding Network Threats through Honeypot Deployment Author : Greg M and Jake branson.

THANKS!