SCHOOL OF COMPUTER SCIENCES UNIVERSITI SAINS MALAYSIA

CST233INFORMATIONSECURITY& ASSURANCE
Assignment3 ASSIGNMENT1 WhitePaper HoneyPot
Preparedfor
AmanJantan,Dr LecturerSchoolofComputerSciences

Preparedby
MohdFaizalBinZakaria 106452

Semester2,2011/2012

Abstract

This paper describes the use of Honeypot in detail.Honeypots are an exciting new technology with huge potential for the security community. The ideas were first introduced by several icons in computer security, specifically Cliff Stoll in the book The Cuckoo's Egg", and Bill Cheswick's paper "An Evening with Berferd." Since then, honeypots have continued to evolve, developing into the powerful security tools they are today. This paper also is to explain exactly what honeypots are, their advantages and disadvantages, and their value to the securityand will explain how it works.

Introduction

The first step to understanding honeypots is defining what a honeypot is. This can be harder than it sounds. Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand. Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It is important to remember that Honey Pots do not replace other traditional Internet security systems; they are an additional level or system. Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes. In a sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a focus on information gathering and deception.

How It Work Conceptually almost all honeypots work the same. They are a resource that has no authorized activity; they do not have any production value. Theoretically, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple, it is this very simplicity that give honeypots their tremendous advantages and disadvantages. An example of a Honey Pot systems installed in a traditional Internet security design:

A Honey Pot system is setup to be easier prey for intruders than true production systems but with minor system modifications so that their activity can be logged of traced. The general thought is that once an intruder breaks into a system, they will

come back for subsequent visits. During these subsequent visits, additional information can be gathered and additional attempts at file, security and system access on the Honey can be monitored and saved.To set up a honey pot, it is recommended that: Install the operating system without patches installed and using typical defaults and options. Make sure that there is no data on the system that cannot safely be destroyed. Add the application that is designed to record the activities of the invader. Maintaining a honey pot is said to require a large amount of attention and may offer as its highest value nothing more than a learning experience.

Types of Honey Pot

Honeypots can be classified based on their deployment and based on their level of involvement. Based on deployment, honeypots may be classified as: Production honeypots Research honeypots

Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help

mitigate risk in an organization. The honeypot adds value to the security measures of an organization. Research honeypots are run to gather information about the motives and tactics of the Black hat community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.Based on design criteria, honeypots can be classified as: Pure honeypots High-interaction honeypots Low-interaction honeypots

Pure honeypots are full-fledged production systems. The activities of the attacker are monitored using a casual tap that has been installed on the honeypot's link to the network. No other software needs to be installed. Even though a pure honeypot is useful, stealthiest of the defense mechanisms can be ensured by a more controlled mechanism. High-interaction honeypots imitate the activities of the real systems that host a variety of services and, therefore, an attacker may be allowed a lot of services to waste his time. According to recent researches in high interaction honeypot technology, by employing virtual machines, multiple honeypots can be hosted on a single physical

machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. In general, high interaction honeypots provide more security by being difficult to detect, but they are highly expensive to maintain. If virtual machines are not available, one honeypot must be maintained for each physical computer, which can be exorbitantly expensive. Example is Honey net. Low-interaction honeypots simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the security of the virtual systems.

Goals of Honey Pot

Generally, there are five popular reasons or goals behind setting up a Honey Pot: 1. Learn how intruders probe and attempt to gain access to your systems. The general idea is that since a record of the intruders activities is kept, you can gain insight into attack methodologies to better protect your real production systems. 2. Gather forensic information required to aid in the apprehension or prosecution of intruders. This is the sort of information often needed to provide law enforcement officials with the details needed to prosecute. 3. The Honey Pot system should appear as generic as possible. If you are deploying a Microsoft NT based system, it should appear to the potential intruder that the system has not been modified or they may disconnect before much information is collected. 4. You need to be careful in what traffic you allow the intruder to send back out to the Internet for you dont want to become a launch point for attacks against other entities on the Internet. 5. You will want to make your Honey Pot an interesting site by placing "Dummy" information or make it appear as though the intruder has found an "Intranet" server, etc. Expect to spend some time making your Honey Pot appear legitimate so that intruders will spend enough time investigating and perusing the system so that you are able to gather as much forensic information as possible.

Advantages

Honeypots are a tremendously simply concept, which gives them some very powerful strengths. There are some advantages. Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity, any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collectin only small data sets, but information of high value, as it is only the bad guys. This means its much easier (and cheaper) to analyze the data a honeypot collects and derive value from it. New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before. Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network. Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it. Information: Honeypots can collect in-depth information that few, if any other technologies can match.

Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.

Disadvantages

Like any technology, honeypots also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies. Limited view: Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also. Risk: All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems. This risks various for different honeypots. Depending on the type of honeypot, it can have no more risk than an IDS sensor, while some honeypots have a great deal of risk.

Conclusion

The purpose of this paper was to define what honeypots are. We identified two different types of honeypots, low-interaction and high-interaction honeypots.

Interaction defines how much activity a honeypot allows an attacker. The value of these solutions is both for production or research purposes. Honeypots can be used for production purposes by preventing, detecting, or responding to attacks. Honeypots can also be used for research, gathering information on threats so we can better understand and defend against them.

References

1. Honey Pot Systems Explained, Loras R. Even , July 12, 2000http://www.sans.org/ 2. Honey Pot http://searchsecurity.techtarget.com/resources/Security-Resources 3. Honeypots: Definitions and Value of Honeypots , Lance Spitzner, Last Modified: 29 May, 2003, http://www.tracking-hackers.com