| NETWORK SECURITY | | | | deployment that redirects suspected attack traffic to |
| Using | | | | honeypot. In the figure an external attacker: |
| HONEYPOTS AND CRYPTOGRAPHY | | | | 1. Penetrates DMZ and scans the network IP address |
| Abstract | | | | 2. The redirection appliance |
| For every consumer and business that is on the | | | | 3. Monitors all unused addresses, and uses Layer 2 |
| Internet, viruses, worms and crackers are a few | | | | VPN technology to enable firewall |
| security threats. There are the obvious tools that aid | | | | 4. To redirect the intruder to honeypot |
| information security professionals against these | | | | 5. Which may have honeypot computers mirroring all |
| problems such as anti-virus software, firewalls and | | | | types of real network devices. |
| intrusion detection systems, but these systems can | | | | 6. Scanning the network for vulnerable systems is |
| only react to or prevent attacks-they cannot give us | | | | redirected |
| information about the attacker, the tools used or even | | | | 7. By the honeypot appliance when he probes unused |
| the methods employed. Given all of these security | | | | IP addresses |
| questions, honeypots are a novel approach to network | | | | RESEARCH USING HONEYPOTS: |
| security and security research alike. | | | | Honeypots are also used for research purposes to |
| A honeypot is used in the area of computer and | | | | gain extensive information on threats, information few |
| Internet security. It is a resource, which is intended to | | | | other technologies are capable of gathering. One of |
| be attacked and compromised to gain more | | | | the greatest problems security professionals face is |
| information about the attacker and the used tools. It | | | | lack of information or intelligence on cyber threats. |
| can also be deployed to attract and divert an attacker | | | | How can your organization defend itself against an |
| from their real targets. One goal of this paper is to | | | | enemy when you do not know who the enemy is? |
| show the possibilities of honeypots and their use in a | | | | Research honeypots address this problem by |
| research as well as productive environment. | | | | collecting information on threats. Organizations can |
| Compared to an intrusion detection system, honeypots | | | | then use this information for a variety of purposes |
| have the big advantage that they do not generate | | | | including analyzing trends, identifying new methods or |
| false alerts as each observed traffic is suspicious, | | | | tools, identifying the attackers and their communities, |
| because no productive components are running on the | | | | ensuring early warning and prediction or |
| system. This fact enables the system to log every | | | | understanding attackers motivation. |
| byte that flows through the network to and from the | | | | ADVANTAGES OF HONEYPOTS: |
| honeypot, and to correlate this data with other sources | | | | 1. They collect small amounts of information that have |
| to draw a picture of an attack and the attacker. | | | | great value. This captured information provides an |
| This paper will first give an introduction to | | | | in-depth look at attacks that very few other |
| honeypots-the types and uses. We will then look at | | | | technologies offer. |
| the nuts and bolts of honeypots and how to put them | | | | 2. Honeypots are designed to capture any activity and |
| together. With a more advanced idea of how | | | | can work in encrypted networks. |
| honeypots work, we will then look at the possible legal | | | | 3. They can lure the intruders very easily. |
| ramifications for those who deploy them. Finally we | | | | 4. Honeypots are relatively simple to create and |
| shall conclude by looking at what the futureholds for | | | | maintain. |
| the honeypots and honeynets. | | | | DISADVANTAGES OF HONEYPOTS: |
| 1. INTRODUCTION | | | | 1. Honeypots add complexity to the network. Increased |
| Global communication is getting more important every | | | | complexity may lead to increased exposure to |
| day. At the same time, computer crimes are | | | | exploitation. |
| increasing. | | | | 2. There is also a level of risk to consider, since a |
| Countermeasures are developed to detect or prevent | | | | honeypot may be comprised and used as a platform |
| attacks - most of these measures are based on | | | | to attack another network. However this risk can be |
| known facts, known attack patterns. As in the military, | | | | mitigated by controlling the level of interaction that |
| it is important to know, who your enemy is, what kind | | | | attackers have with the honeypot. |
| of strategy he uses, what tools he utilizes and what he | | | | 3. It is an expensive resource for some corporations. |
| is aiming for. Gathering this kind of information is not | | | | Since building honeypots requires that you have at |
| easy but important. By knowing attack strategies, | | | | least a whole system dedicated to it and this may be |
| countermeasures can be improved and vulnerabilities | | | | expensive. |
| can be fixed. To gather as much information as | | | | LEGAL ISSUES PERTAINING HONEYPOTS: |
| possible is one main goal of a honeypot. | | | | Most of the research found in this area concluded that |
| Generally, such information gathering should be done | | | | there are three major legal spectrums concerning |
| silently, without alarming an attacker. All the gathered | | | | honeypots: |
| information leads to an advantage on the defending | | | | - Entrapment, |
| side and can therefore be used on productive | | | | - Liability |
| systems to prevent attacks. | | | | - Privacy. |
| WHAT IS A HONEYPOT? | | | | 1. ENTRAPMENT: |
| A honeypot is primarily an instrument for information | | | | Entrapment is when somebody induces the criminal to |
| gathering and learning. A honeypot is an information | | | | do something he was not otherwise supposed to |
| system resource whose value lies in the unauthorized | | | | do.Honeypots should generally be used as defensive |
| zed or illicit use of that resource. More generally a | | | | detection tools, not an offensive approach to luring |
| honeypot is a trap set to deflect or detect attempts at | | | | intruders. |
| unauthorized use of information systems. Essentially; | | | | 2. PRIVACY: |
| honeypots are resources that allow anyone or | | | | The second major concern is what information is being |
| anything to access it and al production value. More | | | | tracked: operational data and transactional data. |
| often than not, a honeypot is more importantly, | | | | Operational data includes things like addresses of user, |
| honeypots do not have any resimply an unprotected, | | | | header information etc while transactional data includes |
| unpatched, unused workstation on a network being | | | | key strokes, pages visited, information downloaded, |
| closely watched by administrators. | | | | chat records, e-mails etc. Operational data is safe to |
| Its primary purpose is not to be an ambush for the | | | | track without threats of security concern because IDS |
| blackhat community to catch them in action and to | | | | system routers and firewalls already track it. The |
| press charges against them. The focus lies on a silent | | | | major concern is transactional data. The more |
| collection of as much information as possible about | | | | contents a honeypot tracks, more privacy concerns |
| their attack patterns, used programs, purpose of | | | | get generated. |
| attack and the blackhat community itself. All this | | | | 3. LIABILITY: |
| information is used to learn more about the blackhat | | | | Is the owner of the honeypot liable for any damage |
| proceedings and motives, as well as their technical | | | | done by that honeypot? They will be safe as long as |
| knowledge and abilities. This is just a primary purpose | | | | honeypots are used for directly securing the network. |
| of a honeypot. There are a lot other possibilities for a | | | | SOME COMMERCIAL HONEYPOTS AND HELPFUL |
| honeypot - divert hackers from productive systems or | | | | SOFTWARE: |
| catch a hacker while conducting an attack are just | | | | 1. CYBERCOP STING BY NETWORK |
| two possible examples. | | | | ASSOCIATES: |
| WHAT IS A HONEYNET? | | | | This product is designed to run on Windows NT and is |
| Two or more honeypots on a network form a | | | | able to emulate several different systems including |
| honeynet. Typically, a honeynet is used for monitoring | | | | LINUX, SOLARIS, CISCO IOS and NT. It is made to |
| and/or more diverse network in which one honeypot | | | | appeal to hackers for looking as if it has several |
| may not be sufficient. Honeynets (and honeypots) are | | | | well-known vulnerabilities. |
| usually implemented as parts of larger network | | | | 2. BACK OFFICER FRIENDLY BY NFR: |
| intrusion-detection systems. Honeynet is a network of | | | | This product is designed to emulate a Back Orifice |
| production systems. Honeynets represent the | | | | server. BOF (as it is commonly called) is a very simple |
| extreme of research honeypots. Their primary value | | | | but highly useful honeypot developed by Marcus |
| lies in research, gaining information on threats that exist | | | | Ranum and crew at NFR. It is an excellent example of |
| in the Internet community today. | | | | a low interaction honeypot. . It is a great way to |
| The two main reasons why honeypots are deployed | | | | introduce a beginner to the concepts and value of |
| are: | | | | honeypots. BOF is a program that runs on most |
| 1. To learn how intruders probe and attempt to gain | | | | Windows based operating system. All it can do is |
| access to your systems and gain insight into attack | | | | emulate some basic services, such as http, ftp, telnet, |
| methodologies to better protect real production | | | | mail, or BackOrrifice. |
| systems. | | | | 3. TRIPWIRE BY TRIPWIRE: |
| 2. To gather forensic information required to aid in the | | | | This product is for use on NT and UNIX machines and |
| apprehension or prosecution of intruders. | | | | is designed to compare binaries, and inform the server |
| TYPES OF HONEYPOTS: | | | | operator, which has been altered. This helps to protect |
| Honeypots came in two flavors: | | | | machines from would be hackers and is an excellent |
| - Low-interaction | | | | way to determine if a system has been compromised. |
| - High-interaction. | | | | 4. SPECTER: |
| Interaction measures the amount of activity that an | | | | Specter is a commercial product and low interaction |
| intruder may have with honeypot.In addition, honeypots | | | | production honeypot. It is similar to BOF, but it can |
| can be used to combat spam. | | | | emulate a far greater range of services and a wide |
| Spammers are constantly searching for sites with | | | | variety of operating systems. Similar to BOF, it is easy |
| vulnerable open relays to forward spam on the other | | | | to implement and low risk. Specter works by installing |
| networks. Honeypots can be set up as open proxies | | | | on a Windows system. The risk is reduced as there is |
| orrelays to allow spammers to use their sites .This in | | | | no real operating system for the attacker to interact |
| turn allows for identification of spammers. | | | | with. Specters value lies in detection. It can quickly and |
| We will break honeypots into two broad categories, as | | | | easily determine who is looking for what. As a |
| defined by Snort ,two types of honeypots are: | | | | honeypot, it reduces bothfalse positives and false |
| - Production honeypots | | | | negatives, simplifying the detection process, supporting |
| - Research honeypots | | | | a variety of alerting and logging mechanisms. One of |
| The purpose of a production honeypot is to help | | | | the unique features of Specter is that it also allows for |
| mitigate risk in an organization. The honeypot adds | | | | information gathering, or the automated ability to gather |
| value to the security measures of an organization. | | | | more information about the attacker |
| Think of them as 'law enforcement', their job is to | | | | 5. MANTRAP: |
| detect and deal with bad guys. Traditionally, | | | | Mantrap is a commercial honeypot. Instead of |
| commercial organizations use production honeypots to | | | | emulating services, Mantrap creates up to four |
| help protect their networks. The second category, | | | | sub-systems, often called 'jails'. These 'jails' are logically |
| research, is honeypots designed to gain information on | | | | discrete operating systems separated from a master |
| the blackhat community. These honeypots do not add | | | | operating system. Security administrators can modify |
| direct value to a specific organization. Instead they are | | | | these jails just as they normally would with any |
| used to research the threats organizations face, and | | | | operating system, to include installing applications of |
| how to better protect against those threats. | | | | their choice, such as an Oracle database or Apache |
| HONEYPOT ARCHITECTURE: | | | | web server, thus making the honeypot far more |
| 1. Structure of a LOW-INTERACTION HONEYPOT | | | | flexible. The attacker has a full operating system to |
| (GEN-I):- | | | | interact with, and a variety of applications to attack. All |
| A typical low-interaction honeypot is also known as | | | | of this activity is then captured and recorded. Currently, |
| GEN-I honeypot. This is a simple system which is very | | | | Mantrap only exists on Solaris operating system. |
| effective against automated attacks or beginner level | | | | RELATED WORK: |
| attacks. | | | | Much work has been performed using the concept of |
| Honeyd is one such GEN-I honeypot which emulates | | | | honeypots i.e., an illicit resource to which any and all |
| services and their responses for typical network | | | | traffic or access is deemed to be suspect. |
| functions from a single machine, while at the same | | | | 1. TARPITS: |
| time making the intruder believe that there are | | | | One of the easiest ways to identify vulnerable |
| numerous different operating systems .It also allows | | | | systems is by using a tool called a scanner or a spider |
| the simulation of virtual network topologies using a | | | | .This brute forces attacks on a whole range of IP |
| routing mechanism that mimics various network | | | | addresses, attempting to find vulnerable hosts. This is |
| parameters such as delay, latency and ICMP error | | | | where a tarpit comes handy. A tarpit blocks a scanner |
| messages. | | | | by responding to its first TCP setup message, but |
| The primary architecture consists of a routing | | | | ignoring the rest .This simple approach causes the |
| mechanism, a personality engine, a packet dispatcher | | | | scanner to allocate buffers, start timers and retry, |
| and the service simulators. The most important of | | | | since it believes it has found a valid host .This process |
| these is the personality engine, which gives services a | | | | repeats until the scanner exhausts its memory and |
| different ‘avatar’ for every operating system | | | | CPU resources and crashes or slows down to an |
| that they emulate. | | | | almost unproductive speed. |
| DRAWBACKS: | | | | 2. HONEY TOKENS: |
| 1. This architecture provides a restricted framework | | | | It is a data entity whose value lies in the inherent use |
| within which emulation is carried out. Due to the limited | | | | of data. Honey tokens are entities such as false |
| number of services and functionality that it emulates, it | | | | medical records, incorrect credit card numbers and |
| is very easy to fingerprint. | | | | invalid social security numbers. The very act of |
| 2. A flawed implementation (a behavior not shown by | | | | accessing these numbers, even by legitimate entities is |
| a real service) can also render itself to | | | | suspect. This concept is especially useful in preventing |
| alerting the attacker. | | | | larger classes of attacks. |
| 3. It has constrained applications in research, since | | | | FUTURE WORK: |
| every service which is to be studied will have to be | | | | Honeypots are a new field in the sector of network |
| re-built for the honeypot. | | | | security. Currently there is a lot of ongoing research |
| 2. Structure of a HIGH INTERACTION HONEYPOT | | | | and discussions all around the world. Several |
| (GEN-II):- | | | | companies have already launched commercial |
| A typical high-interaction honeypot consists of the | | | | products. A comparison of available products showed |
| following elements: resource of interest, data control, | | | | that there are some usable low- to high-involvement |
| data capture and external logs | | | | honeypots on the market. In the sector of research |
| (“known your enemy: Learning with Vmware, | | | | honeypots, self-made solutions have to be developed |
| Honeynet project”); these are also known as GEN-II | | | | as only these solutions can provide a certain amount |
| honeypots and started development in 2002.They | | | | of freedom and flexibility which is needed to cover a |
| provide better data capture and control mechanisms. | | | | wide range of possible attacks and attackers. Each |
| This makes them more complex to deploy and | | | | research honeypot normally has its own goals or |
| maintain in comparison to low-interaction | | | | different emphasis on the subject. Developing a |
| honeypots. | | | | self-made solution needs a good technical |
| High interaction honeypots are very useful in their ability | | | | understanding as well as a time intensive development |
| to identify vulnerable services and applications for a | | | | phase. |
| particular target operating system. Since the | | | | There is an inherent scope for the research |
| honeypots have full fledged operating | | | | community to be misled by script kiddies, while |
| systems, attackers attempt various attacks providing | | | | sophisticated attackers plan more devastating attacks |
| administrators with very detailed information on | | | | on computer systems across the globe. Although |
| attackers and their methodologies. This is essential for | | | | fingerprinting a honeypot is easier said than done, most |
| researchers to identify new and unknown attack, by | | | | attackers worth their salt would stay away from any |
| studying patterns generated by these honeypots | | | | computer system that they deem to be monitoring |
| DRAWBACKS: | | | | their activities. Thus in reality, for honeypots to be truly |
| However, GEN-II honeypots do have their drawbacks | | | | effective, they require to be residing very close to a |
| as well. | | | | legitimate resource, probably even on the same |
| 1. To simulate an entire network, with routers and | | | | network. |
| gateways, would require an extensive computing | | | | This would definitely serve as a precursor to any |
| infrastructure, since each virtual element would have to | | | | attacks on the production system making honeypots a |
| be installed in it entirely. In addition this setup is | | | | true window to the future. |
| comprehensive: the attacker can know that the | | | | CONCLUSION: |
| network he is on is not the real one. This is one | | | | Honeypots are positioned to become a key tool to |
| primary drawback of GEN-II. | | | | defend the corporate enterprise from hacker attacks |
| 2. The number of honeypots in the network is limited. | | | | it’s a way to spy on your enemy; it might even be |
| 3. The risk associated with GEN-II honeypots is higher | | | | a form of camouflage. Hackers could be fooled into |
| because they can be used easily as launch pads for | | | | thinking they've accessed a corporate network, when |
| attacks. | | | | actually they're just banging around in a honeypot -- |
| COMPARISON: | | | | while the real network remains safe and sound. |
| Feature Gen-I Gen-II Number of virtual systems/ | | | | Honeypots have gained a significant place in the |
| services that can be deployed Large Small Data | | | | overall intrusion protection strategy of the enterprise. |
| Control Limited Extensive Level of Interaction Low High | | | | Security experts do not recommend that these |
| Ability to discover new attcks Low High Risk Low High | | | | systems replace existing intrusion detection security |
| BUILDING A HONEYPOT: | | | | technologies; they see honeypots as complementary |
| To build a honeypot, a set of Virtual Machines are | | | | technology to network- and host-based intrusion |
| created. They are then setup on a private network | | | | protection. |
| with the host operating system. To facilitate data | | | | The advantages that honeypots bring to intrusion |
| control, a stateful firewall such as IP Tables can be | | | | protection strategies are hard to ignore. In time, as |
| used to log connections. This firewall would typically be | | | | security managers understand the benefits, honeypots |
| configured in Layer 2 bridging mode, rendering it | | | | will become an essential ingredient in an |
| transparent to the attacker. | | | | enterprise-level security operation. |
| The final step is data capture, for which tools such as | | | | We do believe that although honeypots have legal |
| Sebek and Term Log can be used. Once data has | | | | issues now, they do provide beneficial information |
| been captured, analysis on the data can be performed | | | | regarding the security of a network .It is important that |
| using tools such as Honey Inspector, PrivMsg and | | | | new legal policies be formulated to foster and support |
| SleuthKit. | | | | research in this area. This will help to solve the current |
| Honeypot technology under development will | | | | challenges and make it possible to use honeypots for |
| eventually allow for a large scale honeypot | | | | the benefit of the broader internet community. |