A popular myth about preventing attacks is to know their attacking strategies. By knowing attack strategies counter measures can be improved. A perfect tool for this can be a Honeypot. Basicaly it is used to gather as much information as possible about attackers. Here we will have look at Honeypot concept, their level of involvement, topologies, and the Honeynet.
1.2 Internet security
Usually, The Internet security is a complex task .the computer crimes are increasing day by day .It is very important to have attention to these crimes and the net Hackers- Crackers. These are the peoples having great influence on the Internet. We must have tools to detecting these people and preventing attacks
As in the military, it is important to know, who your enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.
A honeypot is primarily an instrument for information gathering and learning. Its primary purpose is not to be an ambush for the blackhat community to catch
them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose
of a honeypot. There are a lot of other possibilities for a honeypot - divert hackers from productive systems or catch a hacker while conducting an attack are just two
possible examples.
Honeypots are not the perfect solution for solving or preventing computer crimes. Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network security. In the right hands, a honeypot can be an effective tool for information gathering. In the wrong, unexperienced hands, a honeypot can become another infiltrated machine and an instrument for the blackhat community.
Overview of Honeypot
What makes a honeypot different from other vulnerable computer systems is its extensive logging capability. The systems most often include at least four layers of logging to capture attacker activity. Every file accessed, every connection made, every keystroke an attacker makes on a honeypot is logged to a secure location.
2.1 Overview
This chapter is organized as follows. In section 2.2 how the Honeypot is organized, defined ?,and the uses of Honeypot,what is Honeypot ? is discussed in brief. Later in section 2.3 the value of Honeypot is discussed, so what can Honeypot provide,what can it be used for ? Each available honeypot has different strengths. The comparison of Honeypot is there in section 2.4 here short overview of the available Honeypots.
2.2 Honeypot Definition
Honeypots are an exciting new technology. They allow us to turn the tables on the bad guys, we can take the initiative. In the past several years there has been growing interest in exactly what this technology is and how it works. The purpose of this paper is to introduce you to honeypots and demonstrate their capabilities. We will begin by discussing what a honeypot is and how it works
The buzz word ”Honeypot” is spooking around. Different vendors claim that they offer honeypot products, people are arguing about honeypots without having a clear image of what a honeypot is. To clarify this issue, a definition of what is meant when talking about honeypots is provided.
Now that we have understanding of two general categories of honeypots, we can focus on their value. Specifically, how we can use honeypots. Once again, we have two general categories, honeypots can be used for production purposes or research. When used for production purposes, honeypots are protecting an organization. This would include preventing, detecting, or helping organizations respond to an attack. When used for research purposes, honeypots are being used to collect information. This information has different value to different organizations. Some may want to be studying trends in attacker activity, while others are interested in early warning and prediction, or law enforcement. In general, low-interaction honeypots are often used for production purposes, while high-interaction honeypots are used for research purposes. However, either type of honeypot can be used for either purpose. When used for production purposes, honeypots can protect organizations in one of three ways; prevention, detection, and response. We will take a more in-depth look at how a honeypot can work in all three.
A honeypot is a resource, which is intended to get compromised. Every traffic from and to a honeypot is suspicious because no productive systems are located on this resource. In general, every traffic from and to a Honeypot is unauthorized activity. All data collected by a honeypot is therefore interesting data. A honeypot will in general not produce an awful lot of logs because no productive systems are running on that machine which makes analyzing this data much easier. Data collected by a honeypot is of high value and can lead to a better
Understanding and knowledge, which in turn can help to increase overall network security. One can also argue hat a honeypot can be used for prevention because it can deter attackers from attacking other systems by occupying them long enough and bind their resources. Against most attacks nowadays (which are based on automated scripts) a honeypot does not help deceiving individuals, as there are no persons to deceive.
2.3 Value Of Honeypot
Now that we have understanding of two general categories of honepyots, we can focus on their value. Specifically, how we can use honeypots. Once again, we have two general categories, honeypots can be used for production purposes or research. When used for production purposes, honeypots are protecting an organization. This would include preventing, detecting, or helping organizations respond to an attack. When used for research purposes, honeypots are being used to collect information. This information has different value to different organizations. Some may want to be studying trends in attacker activity, while others are interested in early warning and prediction, or law enforcement. In general, low-interaction honeypots are often used for production purposes, while high-interaction honeypots are used for research purposes. However, either type of honeypot can be used for either purpose. When used for production purposes, honeypots can protect organizations in one of three ways; prevention, detection, and response.
Up to this point we have been talking about how honeypots can be used to protect an organization. We will now talk about a different use for honeypots, research. Honeypots are extremely powerful, not only can they be used to protect your organization, but they can be used to gain extensive information on threats, information few other technologies are capable of gathering. One of the greatest problems security professionals face is a lack of information or intelligence on cyber threats. How can we defend against an enemy when we don't even know who that enemy is? For centuries military organizations have depended on information to better understand who their enemy is and how to defend against them. Why should information security be any different? Research honeypots address this by collecting information on threats. This information can then be used for a variety of purposes, including trend analysis, identifying new tools or methods, identifying attackers and their communities, early warning and prediction, or motivations. One of the most well known examples of using honeypots for research is the work done by the Honeynet Project, an all volunteer, non-profit security research organization. All of the data they collect is with Honeynet distributed around the world. As threats are constantly changing, this information is proving more and more critical.
Honeypots come in many shapes and sizes, making them difficult to get a grasp of. To help us better understand honeypots and all the different types, we break them down into two general categories, low-interaction and high-interaction honeypots. These categories helps us understand what type of honeypot you are dealing with, its strengths, and weaknesses. Interaction defines the level of activity a honeypot allows an attacker. the emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others.
3.1 Level of Involvement
One characteristic of a honeypot is its level of involvement. The level of involvement does measure the degree an attacker can interact with the operating system.
3.1.1 Low-Involvement Honeypot
A low-involvement honeypot typically only provides certain fake services.
A low-involvement honeypot does reduce risk to a minimum through minimizing interaction with the attacker.
On a low-involvement honeypot there is no real operating system that an attacker can operate on. This will minimize the risk significantly because the complexity of an operating system is eliminated. On the other hand, this is also a disadvantage. It is not possible to watch an attacker interacting with the operating system, which could be really interesting. A low-involvement Honeypot is like a one-way connection. We only listen, but we do not ask questions ourselves. The role of this approach is very passive.
A mid-involvement honeypot provides more to interact with, but still does not provide a real underlaying operating system. The fake daemons are more sophisticated and have deeper knowledge about the specific services they provide. At the same moment, the risk increases.The probability that the attacker can find a security hole or a vulnerability is getting bigger because the complexity of the honeypot increases. A compromise of this system is still unlikely and certainly no goal as there are no security boundaries and logging mechanisms which are built for this kind of events
Developing a mid-involvement honeypot is complex and time consuming. Special care has to be taken for security checks as all developed fake daemons need to be as secure as possible. The developed versions should not suffer the same security holes as their real counterparts because this is the main reason to substitute these with fake variants. The knowledge for developing such a system is very high as each protocol and service has to be understood in detail.
3.1.3 High-Involvement Honeypot
A high-involvement honeypot has a real underlaying operating system. This leads to a much higher risk as the complexity increases rapidly. At the same time, the possibilities to gather information, the possible attacks as well as the attractiveness increase a lot. One goal of a hacker is to gain root and to have access to a machine, which is connected to the Internet 24/7. A high involvement honeypot does offer such an environment. As soon as a hacker has gained access, his real work and therefore the interesting part begins.
Unfortunately the attacker has to compromise the system to get this level of freedom. He will then have root rights on the system and can do everything at any moment on the compromised system. As per se, this system is no longer secure. Even the whole machine can not be considered as secure. This does not matter if he is in a jail, a sandbox or a VMWare6 box because there could be ways to get out of these software boundaries.
traffic is also an important point to consider, as the danger once a system is fully compromised can be reduced.
By providing a full operating system to the attacker, he has the possibilities to upload and install new files.This is where a high-involvement honeypot can show its strength, as all actions can be recorded and analyzed. Gathering new information about the blackhat community is one main goal of a high-involvement honeypot and legitimates the higher risk.
Placement of Honeypot
A honeypot does not need a certain surrounding environment, as it is a standard server with no special needs. A honeypot can be placed anywhere a server could be placed. But certainly, some places are better for certain approaches as others.
A honeypot can be used on the Internet as well as the intranet, based on the needed service. Placing a honeypot on the intranet can be useful if the detection of some bad guys inside a private network is wished. It is especially important to set the internal thrust for a honeypot as low as possible as this system could be compromised, probably without immediate knowledge. If the main concern is the Internet, a honeypot can be placed at two locations:
² In front of the firewall (Internet)
² DMZ7
² Behind the firewall (intranet)
Each approach has its advantages as well as disadvantages. Sometimes it is even impossible to choose freely as placing a server in front of a firewall is simply not possible or not wished.
A honeypot will attract and generate a lot of unwished traffic like portscans or attack patterns. By placing a honeypot outside the firewall, such events do not get logged by the firewall and an internal IDS system will not generate alerts. Otherwise, a lot of alerts would be generated on the firewall or IDS.
Probably the biggest advantage is that the firewall or IDS, as well as any other resources, have not to be adjusted as the honeypot is outside the firewall and viewed as any other machine on the external network. Running a honeypot does therefore not increase the dangers for the internal network nor does it introduce new risks.
The disadvantage of placing a honeypot in front of the firewall is that internal attackers can not be located or trapped that easy, especially if the firewall limits outbound traffic and therefore limits the traffic to the honeypot. Placing a honeypot inside a DMZ (figure 4 honeypot(2)) seems a good solution as long as the other systems inside the DMZ can be secured against the honeypot.Most DMZs are not fully accessible as only needed services are allowed to pass the firewall. In such a case, placing the honeypot in front of the firewall should be favored as opening all corresponding ports on the firewall is too time consuming and risky.
A honeypot behind a firewall (figure 4 honeypot(3))can introduce new security risks to the internal network,especially if the internal network is not secured against the honeypot through additional firewalls. This could be a special problem if the IPs are used for authentication.It is important to distinguish between a setup where the firewall enables access to the honeypot or where access from the Internet is denied. A honeypot does often provide a lot of services. Probably most of them are not used as exported services to the Internet and are therefore not forwarded to the honeypot by the firewall. By placing the honeypot behind a firewall, it is inevitable to adjust the firewall rules if access from the Internet should be permitted. The biggest problem arises as soon as the internal honeypot is compromised by an external attacker. He gains the possibility to access the internal network through the honeypot. This traffic will be unstopped by the firewall as it is regarded as traffic to the honeypot only, which in turn is granted. Securing an internal honeypot is therefore mandatory, especially if it is a high-involvement honeypot. With an internal honeypot it is also possible to detect a misconfigured firewall, which forwards unwanted traffic from the Internet to the internal network. The main reason for placing a honeypot behind a firewall could be to detect internal attackers.
The best solution would be to run a honeypot in its own DMZ, therefore with a preliminary firewall. The firewall could be connected directly to the internet or intranet, depending on the goal. This attempt enables tight control as well as a flexible environment with maximal security.
4.2.2 Honeynets
A honeypot is physically a single machine, probably running multiple virtual operating systems. Controlling outbound traffic is often not possible, as the traffic goes directly onto the network. In this case the only possibility to limit outbound traffic is to use a preliminary firewall.Such a more complex environment is often referenced as honeynet. A typical honeynet consists of multiple honeypots and a firewall (or firewalled-bridge) to limit and log network traffic. An IDS is often used to watch for potential attacks and decode and store network traffic on the preliminary system.
By introducing new machines to the honeypot itself, more hardware is required. A solution with only one machine is thinkable. By using VMWare, setting up multiple virtual systems on one physical machine is possible.Through this attempt, it is even possible to place the firewall on the same machine as all virtual honeypots however the security of this solution isn’t as good as having
different physical machines. As soon as the honeynet is a virtual environment, the system could be compromised and the attacker could be able to break out of the virtual machines. Placing a bridge with firewall capabilities in front of a honeypot is much safer as the attacker can not see the bridge. Even attacking the bridge is not possible as the bridge has no IP address and therefore no attack point exists.
Introducing additional hardware also raises the complexity of the environment. Understanding networking and associated tools is important as long as the best security has to be provided
A Honeynet is nothing more then one type of honeypot. Specifically, it is a high interaction honeypot designed primarily for research, to gather information on the enemy. Most traditional honeypots have been for deception or detecting attacks. They are usually single systems that emulate other systems, emulate known services or vulnerabilities, or create jailed environments.
5.1 What is Honeynet
A Honeynet is different from traditional honeypots, it is what we would categorize as a research honeypot. This does not make it a better solution then traditional honeypots, merely it has a different purpose. Instead of its value being detecting or deceiving attackers, its value is gaining information on threats. The two biggest design differences from a traditional honeypots are:
It is not a single system but a network of multiple systems and applications, which are probed and attacked by blackhats. Honeynets can utilize multiple systems at the same time, such as Solaris, Linux, Windows NT, Cisco router, Alteon switch, etc. This creates a network environment that more realistically mirrors a production network. Also, by having different systems with different applications, such as a Linux DNS server, a Windows IIS webserver, and a Solaris Database server, we can learn about different tools and tactics. Perhaps certain blackhats target specific systems, applications, or vulnerabilities. By having a variety of operating systems and applications, we are able to more accurately profile specific blackhat trends and signatures.
All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems less secure. The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organizations today. One can simply take a system from a production environment and place it within the Honeynet.
It is these two design differences that make a Honeynet primarily a tool for research. It can be used as a traditional honeypot, such as detecting unauthorized activity, however a Honeynet requires a great deal more work, risk and administration. Its simply not worth all the effort of building and maintaining a Honeynet just to detect attacks.
5.2 Value of Honeynet
Traditionally, information security has been purely defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one's resources. The strategy is to defend one's organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it purely defensive, the enemy is on the attack. Honeynets attempt to change that. The primary purpose of a Honeynet is to gather information about threats that exist. New tools can be discovered, attack patterns can be determined, and attacker motives studied. This information that can be used to protect against threats.
5.3 How it Works
Conceptually, Honeynets are a simple mechanism. You create a network similar to a fishbowl, where you can see everything that happens inside it. Just like the fish, you can watch the hackers interact in your virtual environment. Also just like a fishbowl, you can put almost anything in there you want. This controlled network becomes your Honeynet. The captured activity teaches you the tools, tactics, and motives of the blackhat community. Traditionally, the greatest problem security professionals face in detecting and capturing blackhat activity is information overload. The challenge for most organizations is determining from vast amounts of information what is production traffic and what is malicious activity. Tools and techniques such as Intrusion Detection Systems, host based forensics, or system log analysis attempt to solve this by using a database of known signatures or algorithms to determine what is production traffic and what is malicious activity. However, information overload, data pollution, unknown activity, false positives and false negatives can make analyzing and determining activity extremely difficult.
Conclusion
A honeypot is a valuable resource, especially to collect information about proceedings of attackers as well as their deployed tools. No other mechanism is comparable in the effeciency of a honeypot if gathering information is a primary goal, especially if the tools an attacker uses are of interest. But nevertheless, honeypots can not be considered as a standard product with a fixed place in every security aware environment as firewalls or intrusion detection systems are today. Installing and running a honeypot is not just a matter of ”buy and go”. The involved risk and need for tight supervision as well as time intensive analysis makes them difficult to use. Honeypots are in their’s infancy and new ideas and technologies will surface in the next time. At the same time as honeypots are getting more advanced, hackers will also develop methods to detect such systems. A regular arms race could start between the good guys and the blackhat community.
No comments:
Post a Comment