“HONEYPOT”

Submitted by: Gaurav

Gupta

DTU/2K13/CO/049

Presentation on

DEFINITION

A honeypot is an information system

resource whose value lies in unauthorized or

illicit use of that resource.

- Lance Spitzner

Basic Honeypot design

Value of Honeypots

Primary value of honeypots is to

collect information.

This information is then used to better

identify, understand and protect

against threats.

Honeypots add little direct value to

protecting your network.

How it helps us?

Helps to learn system’s weakness

Hacker can be caught & stopped

Design better & secured network

Example..

Honeypot Vs IDS

No Data Control

Data control

Low interaction honeypots

Emulates certain

services, applications

Identify hostile IP

Protect internet side

of network

Low risk and easy to

deploy/maintain, but

capture limited

Information.

High interaction honeypots

Real services,

applications, and

OS’s

Capture extensive

information but high

risk and time

intensive to

maintain

Internal network

protection

Low interaction Vs High

interaction

Example of Honeypots:

Symantec Decoy Server (Mantrap)

Honeynets

Nepenthes

Honeyd◦ (Virtual honeypot)

KFSensor

BackOfficer Friendly

High Interaction

Low Interaction

Honeyd

Honeyd is a low-interaction virtual honeypot

◦ Run multiple virtual hosts on a computer network

◦ A network administrator running Honeyd can monitor his/her logs to see if there is any traffic going to the virtual hosts set up by Honeyd

◦ Supports multiple IP addresses

◦ Supports subsystem

Honeyd Architecture

Gen I Honeynet

◦ Simple Methodology, Limited Capability

◦ Highly effective at detecting automated attacks

◦ Use Reverse Firewall for Data Control

◦ Can be fingerprinted by a skilled hacker

◦ Runs at OSI Layer 3

Gen I Honeynet

Gen II Honeynet

◦More Complex to Deploy and Maintain

◦ Examine Outbound Data and make determination to block,pass, or modify data

◦ Runs at OSI Layer 2

Gen II Honeynet

Advantages and Disadvantages of

HoneypotsAdvantages :

Honeypots are focused (small data sets)

Honeypots help to reduce false positive

Honeypots help to catch unknown attacks (false

negative)

Honeypots can capture encrypted activity (cf. Sebek)

Honeypots work with IPv6

Honeypots are very flexible (advantage/disadvantage?)

Honeypots require minimal resources

Disadvantages :

Honeypots field of view limited (focused)

Honeypots can be detected by attacker

Future work

I. Ease of use: In future Honeypots will most probably appear in prepackaged solutions, which will be easier to administer and maintain. People will be able to install and develop Honeypots at home and without difficulty.

II. Closer integration: Currently Honeypots are used along with other technologies such as firewall, tripwire, IDS etc. As technologies are developing, in future Honeypots will be used in closer integration with them.

III. Specific purpose: Already certain features such as honeytokens are under development to target Honeypots only for a specific purpose. Eg: catching only those attempting credit card fraud etc.

Thanks for

listening