Lecture 7
- 1. Honeypots
- 2. Computer Network Security 2 Agenda What are honeypots What honeypots are not Advantages and disadvantages Comparison of products Honeyd Honeynets
- 3. Computer Network Security 3 Honeypots “The secret to good defence is good offence” Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. Its is this flexibility that gives honeypots their true power. “A security resource whose value lies in being probed, attacked or compromised” (Larry Spitzner) They are a resource that has no authorized activity, they do not have any production value.
- 4. Computer Network Security 4 Honeypots: Theoreticlly, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. A tool for: Detecting attackers Observing and monitoring attack methods Potentially trapping a prospective attacker Providing early warning of attacker Can capture known as well as unknown attacks.
- 5. Computer Network Security 5 Honeypots: what they are not A security fix A barrier to attacks A substitute for securing your host and network
- 6. Computer Network Security 6 Advantages Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. As such, honeypots reduce 'noise' by collectin only small data sets, but information of high value Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network
- 7. Computer Network Security 7 Advantages Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a Honeypot, the Honeypot will detect and capture it. Simplicity: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update.
- 8. Computer Network Security 8 Disadvantages Value if not attacked: None Limited view: Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems Fingerprinting: an incorrectly implemented honeypot can identify itself and others
- 9. Computer Network Security 9 Comparison of 6 honeypots
- 10. Computer Network Security 10 Honeyd Open source Runs on Unix Low interaction Emulated services to deceive attacker and capture activity Highly customizable (open source) Detects activity on any TCP port Can monitor millions of non-existent IP addresses
- 11. Computer Network Security 11 Honeyd Can simultaneously assume IP addresses of thousands of victims and actively interact with attackers (has been tested with 60,000) Can emulate many different OSs at the same time (Specter can emulate 13 different OSs, but only one at a time) Emulates not only OS but also the proper TCP/IP stack unlike BOF and Specter
- 12. Computer Network Security 12 Honeyd Disadvantages Only TCP services, not UDP ICMP, echo request and response only
- 13. Honeynets
- 14. Computer Network Security 14 Honeynets Honeynets are a prime example of high-interaction honeypot Honeynets are an architecture, an entire network of Honeypots. Due to the size of a production network and the amount of traffic, extensive logging can not be deployed We can use honeynets instead A network of actual systems running real operating systems Not a single product but composed of multiple technologies and tools
- 15. Computer Network Security 15 Honeynets Data control: managing or tracking traffic to and from a honeynet. You don’t want complaints about malicious activity from your honeynet. But we don’t want attackers to know that they are in a controlled environment either Techniques for data control: • Connection control: limit the outbound connections • Bandwidth control: set a limit on the bandwidth Data capture: logging of entire attacker activity
- 16. Computer Network Security 16 Honeynets Data collection: collecting data from multiple honeynets to a central location Honeynet architectures: Gen I Gen II
- 17. Computer Network Security 17 Gen I Honeynets Simple architecture Simple data capture and data control techniques make it detectable by attackers sometimes Places a layer 3 firewall in front of the honeynet for data control and capture. Logs are available from multiple levels: Firewall logs IDS logs System logs
- 18. Computer Network Security 18 Gen II Honeynets Gateway is layer 2 device which makes it harder to detect Firewall works in bridge mode Also has IPS capability Sebek client/server tool which is a kernel module for logging to a remote syslog server using UDP and hides its activity from the attacker Also have data collection capability Also provide alerts when an attack occurs