Top Banner

of 24

what is honeypot

Apr 06, 2018

Download

Documents

Sina Manavi
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • 8/3/2019 what is honeypot

    1/24

    Honeypot &Honeynet

    Sina Manavi

    [email protected]

  • 8/3/2019 what is honeypot

    2/24

    Content

    What is Honeypot

    What is Honeynet

    Advantages and Disadvantages of

    Honeypot/net

  • 8/3/2019 what is honeypot

    3/24

    Definition of Honeypot:

    A Honeypot is an information system resource

    whose value lies in unauthorized or illicit use

    of that resource.

    - Lance Spitzner

  • 8/3/2019 what is honeypot

    4/24

    Honeypots value:

    Preventionprevent automated attacks:(Warms and auto-rooters)

    Detectionidentify a failure or breakdown in prevention

    Response

  • 8/3/2019 what is honeypot

    5/24

    How Honeypot works:

    HoneyPot A

    Gateway

    Attackers

    Attack Data

    Prevent

    Detect

    Response No connection

  • 8/3/2019 what is honeypot

    6/24

    Architecture

  • 8/3/2019 what is honeypot

    7/24

    Honeypot can be placed:

    In front of the firewall (Internet)

    DMZ (DeMilitarized Zone)

    Behind the firewall (intranet)

  • 8/3/2019 what is honeypot

    8/24

    By Implementation Virtual

    Physical

    By purpose Production

    Research

    By level of interaction High

    Low

    Middle?

    Honeypot Classification:

  • 8/3/2019 what is honeypot

    9/24

    Implementation of Honeypot

    Physical Real machines

    Own IP Addresses

    Often high-interactive

    Virtual Simulated by other machines that:

    Respond to the traffic sent to the honeypots

    May simulate a lot of (different) virtual honeypots at the same

    time

  • 8/3/2019 what is honeypot

    10/24

    Physical Honeypot vs. Virtual Honeypot

    PH (Real machines, NICs, typically high-interaction) High maintenance cost.

    Impractical for large address spaces.

    VH (Simulated by other machines) Multiple virtual services and VMs on one machine.

    Typically it only simulate network level interactions, but

    still able to capture intrusion attempts.

  • 8/3/2019 what is honeypot

    11/24

    Research Complex to deploy and maintain.

    Captures extensive information.

    Run by a volunteer(non-profit).

    Used to research the threats organization face.

    Production Easy to use

    Capture only limited information

    Used by companies or corporations

    Mitigates risks in organization

    Propose of Honeypot:

  • 8/3/2019 what is honeypot

    12/24

    Interaction Level:

    Low Interaction

    High Interaction

    Note: Interaction measures the amount of activity an attacker

    can have with a honeypot.

  • 8/3/2019 what is honeypot

    13/24

    Low Interaction vs. High InteractionLow-Interaction High-Interaction

    Installation Easy More difficult

    Maintenance Easy Time consuming

    Risk Low High

    Need Control No Yes

    Data gathering Limited Extensive

    Interaction Emulated services Full control

  • 8/3/2019 what is honeypot

    14/24

    Example of Honeypots:

    Symantec Decoy Server (ManTrap)Symantec Decoy Server (ManTrap)

    Honeynets

    Nepenthes

    Honeyd (Vitrual honeypot)

    KFSensor

    BackOfficer Friendly

    High Interaction

    Low Interaction

  • 8/3/2019 what is honeypot

    15/24

    Honeynet History:

    Informally began in April 1999

    The Honeynet Project officially formed in

    June 2000 Became a non-profit corporation in

    September 2001.

    Is made up of thirty Volunteer securityprofessionals

  • 8/3/2019 what is honeypot

    16/24

    What is a Honeynet?

    Actual network of computers

    High-interaction honeypot

    Its an architecture, not a product Provides real systems, applications, andProvides real systems, applications, and

    services for attackers to interact with.services for attackers to interact with.

    Any traffic entering or leaving is suspect.

  • 8/3/2019 what is honeypot

    17/24

    How the Honeynet works?

    Monitoring, capturing, and analyzing all the

    packets entering or leaving through networks.

    All the traffic is entering or leaving through

    the Honeynet is naturally suspect.

  • 8/3/2019 what is honeypot

    18/24

    Honeynet Evolution

    1997, DTK (Deception Toolkit)

    1999, a single sacricial computer,

    2000, Generation I Honeynet,

    2003, Generation II Honeynet,

    2003, Honeyd software

    2004, Distributed Honeynets, Malware Collector...

    2009, Dionaea (multi stage payloads, SIP,...) Kojoney,

    Kippo

  • 8/3/2019 what is honeypot

    19/24

    Architecture Requirements:Architecture Requirements:

    Data ControlData Control

    Data CaptureData Capture

  • 8/3/2019 what is honeypot

    20/24

    Data Control of the Honeynet

    Internet

    No Restrictions

    No Restrictions

    Honeypot

    Honeypot

    Internet

    Honeywall

    Honeypot

    Honeypot

    No Restrictions

    Connections Limited Packet Scrubbed

  • 8/3/2019 what is honeypot

    21/24

    Honeynet Generations:

    Gen I: Simple Methodology, Limited Capability

    Highly effective at detecting automated attacks

    Use Reverse Firewall for Data Control

    Can be fingerprinted by a skilled hacker Runs at OSI Layer 3

    Gen II: More Complex to Deploy and Maintain

    Examine Outbound Data and make determination to block, pass,

    or modify data

    Runs at OSI Layer 2

  • 8/3/2019 what is honeypot

    22/24

    Advantages and Disadvantages of Honeynet/pots

    Advantages :

    Honeypots are focused (small data sets)

    Honeypots help to reduce false positive

    Honeypots help to catch unknown attacks (false negative)

    Honeypots can capture encrypted activity (cf. Sebek)Honeypots work with IPv6

    Honeypots are very flexible (advantage/disadvantage?)

    Honeypots require minimal resources

    Disadvantages :

    Honeypots field of view limited (focused)

    Risk,

  • 8/3/2019 what is honeypot

    23/24

    Q&A

  • 8/3/2019 what is honeypot

    24/24

    Thank you

    1/12/2011