Beruflich Dokumente
Kultur Dokumente
INTRODUCTION
A honeypot is a resource whose value is in being
attacked or compromised. This means, that a honeypot is
expected to get probed, attacked and potentially exploited.
Honeypots do not fix anything. They provide us with
additional, valuable information.
A honeypot is a resource, which pretends to be a
real target. The main goals are the distraction of an attacker
and the gain of information about an attack and the attacker.
Honeypots do not help directly in increasing a computer
networks security. On the contrary, they do attract intruders
and can therefore attract some interest from the blackhat
(Hackers) community on the network, where the honeypot is
located. An Intrusion Detection System (IDS) plays an
important part in nearly every honeypot, and especially in
honeynets, as it is an essential component in gathering
information.
There are two categories of honeypots 1.Production Honeypots
2.Research Honeypots.
LEVEL OF INTERACTION
Honeypots can be classified by level of
interaction also.The level of interaction does measure the
degree an attacker can interact with the operating system.
Three groups of interaction are built:
A. Low-interaction
Only parts of (vulnerable) applications or
operating systems are emulated by software (e.g. honeyd),
no real interaction.
i)
functionality
solutions.
than
high-interaction
Disadvantages
As attackers have greater interaction you must
deploy this interaction in a secure manner.
An attacker might be able to access the
underlying operating system (dangerous!).
Logging, monitoring and analyzing can be
very complex.
C. High level-interaction
i) High-interaction honeypots are the
extreme of honeypot technologies.
ii) Provide an attacker with a real
operating system where nothing is
emulated or restricted.
iii) Ideally you are rewarded with a vast
amount
of
information
about
attackers, their motivation, actions,
tools, behaviour, level of knowledge,
origin, identity etc.
iv) Try to control an attacker at the
network level or poison the honeypot
itself (e.g. Sebek is a data capture
tool of honeynet)
v) You will face real-life data and attacks
so the activities captured are most
valuable.
vi) Learn as much as possible about the
attacker, the attack itself and especially
the methodology as well as tools used.
vii) High-interaction honeypots could help
you to prevent future attacks and get a
certain understanding of possible
threats.
Disadvantages
Building, configuring, deploying and maintaining a
high-interaction honeypot is very time
consuming as it involves a variety of different
Technologies (e.g. IDS, firewall etc.) that has to
be customized.
FIREWALL
A system designed to prevent unauthorized
access to or from a private network. Firewalls can be
implemented in both hardware and software, or a
combination of both. Firewalls are frequently used to
prevent unauthorized Internet users from accessing private
networks connected to the Internet, especially intranets. All
messages entering or leaving the intranet pass through the
firewall, which examines each message and blocks those
that do not meet the specified security criteria.
There are several types of firewall techniques:
i)
iv) proxy
server:
Intercepts
all
messages entering and leaving the
network.
The
proxy
server
effectively hides the true network
addresses.
TYPES OF FIREWALL
There are three basic types of firewalls depending
on:
HONEYNET
The honeypots run on a single machine. To make
honeypots look more like productive systems, honeynets are
setup. The common elements of a honeynet are:
a) A
firewall
computer,
which
logs
all
incoming/outgoing connections and provides
Network Address Translation (NAT) service and
some Denial of Service (DoS) protection.
No Restrictions
Honeypot
Internet
Honeywall
Connections Limited
Packet Scrubbed
Honeypot
IPTABLES
Iptables are used to setup the firewall and
configure the gateway. While configuring the firewall care
should be taken to write rules that make sure of the
following:
Setup IP forwarding between the three
network interfaces of the gateway
Avoid spoofing from the internal network.
The packets which have source IP as one
of that of the internal network should be
allowed to go outside.
Restrict any traffic coming from the
honeypot to the gateway.
Allow minimal but necessary traffic from
the Internet to reach the gateway.
Restrict the possibility of DoS attacks
from the honeypots.
Alerting Tools
The gateway and honeypot runs cron jobs (scheduled
jobs) that email all the logs from the honeypot on an hourly
basis.