Presented by Stanley Chand & Damien Prescod

 Introduction  Hackers  Goals of Honeypot  Common topologies for Honeypots  Different types of Honeypots Based on deployment Based on Involvement  Honeynets Architecture  Honeyd Architecture  Entrapments in Honeypots  Anti Honeypots  Conclusion

 Honeypots are often understood to refer to the English children’s character Winnie-the-pooh.  In computer terminology, a Honeypot is a trap set to detect, and aid in counter attacking attempts of unauthorized use of information systems.  Generally it consists of computer data or network sites that appears to be a part of a network but its actually isolated, (un)protected, and monitored, which seems to contain information that would be of value to the attackers.

 Often Honeypots are used as computers, but it can also be used in other forms like data records or even unused IP address space.  They must be handled carefully, else can become a risk to the internal networks. If they are not properly walled off, attackers can use them to break into the system.  These computers run special software, designed to appear to an intruder as being worth looking into. But in reality these programs are dummies, and are specifically constructed to foster interest in attackers.

 A hacker can be defined as: a person using Computer skills to manipulate private IS without authority for mal-intent.  Kevin Mitnick is a famous hacker who is the yardstick in the CP black hat arena.  Why do they do it, Thrill (Kevin), Ego ( MS, Yahoo, Ebay), But in most case malicious intent $$$. Ukrainian Credit card extortion case.  Sentences if caught can vary from 5-10 years, some special cases have cost the freedom of individuals indefinitely. es/hackers_cartoons.jpg

 The goal of the honeypot is to trap or trace the events of the hackers with a pseudo operational network.  Key to the setup is constructing a FTP,DNS or web server outside of the DMZ* safe area.  The collected info can be used as legal evidence or for academic research in anti- hacker software or procedures.  Protect production networks while enticing hacker events.  Configure such that all public inbound IP’s are allowed whilst preventing outgoing traffic via a firewall.

Configuration Keys!! Never leave access to secure data/production data networks. Use moderate passwords not to strong neither easy!! Else you may give away the objective to smarter hackers. Implement no productions ID’s or passwords in the honeypots. Be sure to implement real time monitoring on the honeypot. Have an alerting mechanism configured. You want to know!! In any business architecture where internet usage is available never under estimate the usefulness of a honeypot in conjunction with your VPN. $$$ don’t let profit marginalize security.

De Militarized Zone!! The honeypot should be set up in this area, for security from the internal network, but also to “entice” the hacker. Must have the configuration of a working network.

Configurations such as the one below are great in visually aiding prospective network managers configure their honeypot, for efficient results. 4/dos_figure_6.gif

 There are mainly two types of Honeypots:-  Production Honeypots.  Research Honeypots.  Production Honeypots:- These are easy to use, capture only limited information and are used primarily by companies. These Honeypots are easier to deploy, and gives less information about the attackers than the Research Honeypots do.  Research Honeypots :- They are mainly used by non profit research organizations or an educational institution to gather information about the motives and tactics of the Blackhat community targeting different networks.

 There are again two types of Honeypots (Involvement):-  High Interaction Honeypots.  Low Interaction Honeypots.  High Interaction Honeypots:- Honeypots installed on complex architectures with complex functions are based on high interaction systems. Honeynets, and Decoy server are good example of High Interaction Honeypots.  Low Interaction Honeypots:- They are useful when the maintainers are not able to guarantee that the process will be excluded from rest of the network activities during the attack. Honeyd, and Specters are good example of Low Interaction Honeypots.

 Honeynets are the complex architecture made up of various types of Honeypots.  It’s a network of Honeypots simulating a production environment.  Data Control:- Mechanism for containing attacker activities within the Honeynet, without attackers realizing it.  Data Capture:- Logging of attackers activities without attackers knowledge.

ity/security/v1n2/j2spi02.gif

 Its an open source computer program which has a ability to create virtual host(Honeypots) on a computer network.  These Honeyds allow user an infinite number of computer network configuration.  It acts as a distraction to potential hackers. /sec04/tech/full_papers/provos/provos_html/img1.png

ovos/provos_html/

 Depending on the objective of the honeypot system, research or production.  The use of data acquired must be done so legally.  The setup of the website topology/browser must adhere to legal ramifications.  It can “entice” but not “entrap” potential subjects.  Malicious intent must not be coerced!!

Not the movie, but the action of misleading!  The information on the web must not trick subjects into thinking that there is something to be had publically.  Not only will this evidence not hold up in court as plaintiff material it can backfire and lead to an anti-suit for the respective Honeypot owners. apment_ver1.jpg

Send safe honeypot hunter. Why??? HP’s hurt spammers. HP’s are detectable. TCP sequence analysis, ARP request analysis. What does the Anti-HP do??? It test the open proxy connections and label them as Good, Bad or Traps. Hackers- can open a false mail server at port 25 (proxy test) Connect to this port Attempt to proxy back to its own false mail server. HP may suggest connection, but if hacker does not get any valid connection he can correctly assume it maybe an HP. More anti-Hp’s to come!!!

Current HP’s aren't the solution- detectable Must evolve with hacker environment. Can be poisoned or attacked by hackers If compromised addresses can be made public Some Honey D’s have fixed response messages that if not changed by network administrators can prove backwardly constructive.

 Narrow Field of view:- They can only see activities directed towards them.  Fingerprinting :- This is when an attacker can identify the true identity of Honeypots.  Risk:- Once Honeypots are attacked, can be used to attack or harm other systems.

 From misunderstanding to acceptance.  Improving ease of use.  Easier administration.  Pre-packaged solution.

1.Honey Pot Project- Know your enemy- Anderson Wesley Security + Exam Guide-Christopher Crayton 3.CISSP-Shon Harris 4. A Virtual Honeypot frame work, Internet article (n.d). Retrieved on (2 nd Feb 2008) 5. Anti Honeypot Technology, Internet article (n.d). Retrieved on (2 nd Feb 2008) technology-slides.pdf 6.