The Clifford Stoll was promoted honeypot system in 1990 to monitor attacker's threats, he introduced this honeypot network for tracing attacker sources information by detecting attacker accessibility environment. The Lance Spitzner who introduced techniques in 1999 to build efficient Honeypots for the development of Honeynet project., I he introduced the concepts and architectures for Honeypot which gives information on Honeypot terms and notions
2.3 Types of Honey pots
There are different types of Honey pots which describes their goals.
2.3.1 The idea of Honey pots
Honeypots system behaves like a bait to catch malicious network activity done by the intruder.Attacker threats, can be handled by using different types of Honeypot.
The recording capabilities of Honeypots is extende when it used along with Intrusion Detection Systems, so it serves as Production Honeypots and only extend the IDS.
figure 2-1 - deployment scenario of a single Honeypot
The diagrams shows the common setu to deploy a Honeypot within a production system. The figure above shows the Honeypot colored orange. It is not registered in any naming servers or any other production systems, i.e. domain controller. None of them will know about the existence of the Honeypot. In a properly configured network, the packets passed to the honeypot are safe from the attack. The false alert will rise when a miss configured packets arrive which drops the value of Honeypot
figure 2-1 - deployment scenario of a single Honeypot
2.3.2 Production Honeypot
Production Honeypots are used for detecting the attackers. Which works as an extension to IDS for acquiring advanced detection functionality.. if the Honey pot is attacked by the attackers. To avoid such real attack some measures should be taken. With the awareness of the attack on the Honey pot it is easier to determine and close security holes.
Threats on the network can be easily handled by the Honey pots, which provide the complete details of attack, happened monthly. So it is beneficial for investing in security.
The person cannot stop investing in the security until unless he has the evidence and assuming that there are no attacks on attack. Malicious attacks done by the employees can be easily detected by the Honey pot. The employee with bad intension will to trying to copy the faked document which is prepared in the network folder ,An employee with no bad intentions would not copy the files
2.3.3 Research Honeypot
In different scenario, research honeypot is used to find out the plans and techniques of the blackhat community. it act like a watch post to find the attacker works when negotiating a system. The secrets are revealed when the intruder is permitted to stay.
The Honeypot operator gains the information about the Blackhats tools and tactics Honeypot gives the information about how the attack happened when the system is compromised. The administrator gain the knowledge about tool which are used in comprising the system but it cannot give the information how it is used.
2.3.4 Honeynets
The concept of single Honeypots to a network of Honeypots is expanded by Honeynet.
In production network only one honeypot is deployed. By using Honeynet it is possible to deploy more than one honeypot. According to the concept of Honeynet, it is still a single machine, but each of these is a stand -alone solution.
Honeypot and the Honeywall are the two devices which are required for deploying a Honeynet. The attacker can easily access the other systems or launch a denial-of-service attack when the attacker is permitted to access the honeypot with a real system.To over come this problem or risk a firewall is configured on honeywall, this restrict to access the production network, means limits the outbound connection. The instruction detection system which is maintained by honeypot used to keep the track of packetsgoing towards and from the Honeypot.
The two architecture; Gen-I (first-generation) and Gen-II (second-generation) are defined by the Honeynet project. There is a drawback is in Gen-I architecture. These can be easily hacked by advanced blackhats since it is not capable of hiding its own existence. Honeypot operating system doesn't maintain any sensors. The intruder can delete the traffic record on the host, since they are not stored separately on the host. Access is gained from outside by by a common layer-3 firewall.
The problem raised in the Gen-I (first-generation) is solved by developing Gen-II nets which are harder to detect.the host side recording is possible in this Gen-II nets.it stores the keyboard strokes when the attacker has gained to encrypt the connection. By using layer-2-firewall the access is granted. As it doesn't have an IP address,it is hard to detect.
.
Figure 2-2 shows a Honeynet setup .In this diagram four Honeypots are used in the Honeynet setup. The Honeywall acts in bridge-mode which is the same function as performed by switches. This connects the Honeynet logically to the production network and allows the Honeynet to be of the same address range.
figure 2-2 - Honeynet setup
2.4 Level of interaction
Honeypots were described by their role of application. To describe them in greater detail it is necessary to explain the level of interaction with the attacker.
2.4.1 Low-interaction Honeypots
A low-interaction Honeypot emulates network services only to the point that an intruder can log in but perform no actions. In some cases a banner can be sent back to the origin but not more. Low-interaction Honeypots are used only for detection and serve as production Honeypots.
In comparison to IDS systems, low-interaction Honeypots are also logging and detecting attacks. Furthermore they are capable of responding to certain login attempts, while an IDS stays passive.
The attacker will only gain access to the emulated service. The underlying operating system is not touched in any way. Hence this is a very secure solution which promotes little risk to the environment where it is installed in.
2.4.2 Medium-interaction Honeypots
Medium-interaction Honeypots are further capable of emulating full services or specific vulnerabilities, i.e. they could emulate the behavior of a Microsoft IIS web server. Their primary purpose is detection and they are used as production Honeypots.
Similar to low-interaction Honeypots, medium-interaction Honeypots are installed as an application on the host operating system and only the emulated services are presented to the public. But the emulated services on medium-interaction Honeypots are more powerful, thus the chance of failure is higher which makes the use of medium-interaction Honeypots more risky.
2.4.3 High-interaction Honeypots
These are the most elaborated Honeypots. They either emulate a full operating system or use a real installation of an operating system with additional
2.5 Types of attacks
There are different types of attacks present on the network, but mainly two types of attacks are important.
2.5.1 Random attacks
By using automated tools, the attacks are performed on the internet. This is mainly done by unskilled users, which are called as script-kiddies. They try to open the already installed Backdoors. The process is same as the person who is trying to open every car by pulling the handle. Until the end of the day he might find out at least one car which is unlocked.
The devices can be easily targeted on the net, by scanning the entire IP address range. Due to this attacks are preceded.
2.5.2 Direct attacks
A direct attack occurs when a Blackhat wants to break into a system of choice, such as an ecommerce web server containing credit card numbers. Here only one system is touched and often with unknown vulnerabilities. A good example for this is the theft of 40 million credit card details at MasterCard International. On June 17, 2005 the credit card company released news [MasterCard 05] that CardSystems Solutions, a third-party processor of payment data has encountered a security breach which potentially exposed more than 40 million cards of all brands to fraud. "It looks like a hacker gained access to CardSystems' database and installed a script that acts like a virus, searching out certain types of card transaction data," said MasterCard spokeswoman Jessica Antle (cited from [CNNMoney 05]) Improving network security with Honeypots Page 10
Direct attacks are performed by experienced knowledge users, so-called skilled hackers. The tools which are used by experienced blackhats for random attacks are not common. The tools which are used frequently ic not published in the blackhat community. Due to this the threat of those attacks will increase. It is easier to prepare against well known attacks, i.e. teaching an IDS the signature of a XMAS attack performed with Nmap
2.6 Security categories
The three security categories are described by Bruce Schneier in Secrets and Lies for accessing the value of honeypot .Schneier splits security into prevention, detection and response.
2.6.1 Prevention
Keeping the dad guys out can be achieved by firewall and well patched system.this means prevention. The value honeypot included to this category is small. The attack can be detected by the honeypot but it will not prevent it as the targets are not predictable.If a random attack is performed.
If the attacker is directly hacking into the system, then the honey pots help with prevention. In this situation the attacker wastes his time on non-sufficient target, rather than attacking the real sever it attacks the honey pot. It also helps to prevent an attack on production system.
Also if an institution publishes the information that they use a Honeypot it might deter attackers from hacking. But this is more in the fields of psychology and quite too abstract to add proper value to security.
//
2.6.2 Detection
The unauthorized activity done on the system can be detected by accomplishing intrusion detection system and by program designed
Detecting intrusions in networks is similar to the function of an alarm system for protecting facilities. Someone breaks into a house and an alarm goes off. In the realm of computers this is accomplished by Intrusion Detection Systems (see 5.3.2 for an example) or by programs designed to watch system logs that trigger when unauthorized activity appears
The problems with these systems are false alarms and non detected alarms. A system might alert on suspicious or malicious activity, even if the data was valid production traffic. Due to the high network traffic on most networks it is extremely difficult to process every data, so the chances for false alarms increase with the amount of data processed. High traffic also leads to non-detected attacks. When the system is not able to process all data, it has to drop certain packets, which leaves those unscanned.
Theses system will provide false alarms and non detected alarms problems.
An attacker could benefit of such high loads on network traffic
2.6.3 Response
After successfully detecting an attack we need information to prevent further threats of the same type.
//
Or in case an institution has established a security policy and one of the employees violated against them, the administration needs proper evidence. The information provided after detecting the attack will be helpful for detecting further treats of the same type. Honeypots provide exact evidence of malicious activities. As they are not part of production systems any packet sent to them is suspicious and recorded for analysis. The difference to a production server is that there is no traffic with regular data such as traffic to and from a web server. This reduces the amount of data recorded dramatically and makes evaluation much easier.
With that specific information it is fairly easy to start effective countermeasures
Direct attacks are performed by skilled hackers; it requires experienced knowledge. In contrast to the tools used for random attacks, the tools used by experienced Blackhats are not common. Often the attacker uses a tool which is not published in the Blackhat community. This increases the threat of those attacks. It is easier to prepare against well known attacks, i.e. teaching an IDS the signature of a XMAS attack performed with Nmap [Fyodor 05].
2.6 Security categories
To assess the value of Honeypots we will break down security into three categories as defined by Bruce Schneier in Secrets and Lies [Schneier 00]. Schneier breaks security into prevention, detection and response.
2.6.1 Prevention
Prevention means keeping the bad guys out. Normally this is accomplished by firewalls and well patched systems. The value Honeypots can add to this category is small. If a random attack is performed, Honeypots can detect that attack, but not prevent it as the targets are not predictable.
One case where Honeypots help with prevention is when an attacker is directly hacking into a server. In this case a Honeypot would cause the hacker to waste time on a non-sufficient target and help preventing an attack on a production system. But this means that the attacker has attacked the Honeypot before attacking a real server and not otherwise.
Also if an institution publishes the information that they use a Honeypot it might deter attackers from hacking. But this is more in the fields of psychology and quite too abstract to add proper value to security.
