[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    RE: Effectiveness of a Honey pot
From:       Jeff Smith <JSmith () Dentrix ! com>
Date:       2001-08-29 0:01:09
[Download RAW message or body]

  Sorry but I was a bit confused by your post.  First you said that your
honeypot does not respond to services (It does not respond to any service
sent to it.  This includes pings, snmp, and what ever else.  The only way is
ssh from a designated machine that is inside our firewall.) but then you go
on to say (I have the ability to decide which services, I want to be
available on the server.) These seem like contradictory statements to me.  I
am not trying to attack you but to learn from you.
  I see honeypots as a learning device.  I can assume certain things when I
use a honeypot.  1) All traffic to the honeypot is malicious.  I can assume
this because I did not advertise that the machine even exists. 2)All traffic
initiated by this machine is a result of a misconfiguration on my part or a
compromise.  I can then use this limited information to find potential
attackers.  If host X has scanned my honeypot then I can be pretty safe to
say the attacker has or will scan my production machine and drop the route.
If the honeypot start do irregular traffic I know it has been compromised
and can use the logs to find out why and fix it on my production machines.
I can also use the honeypot to learn attack techniques and subculture to a
degree.
  I use honeypots for certain things.  I have a "windows" (Actually a hacked
up Linux box) that looks like a machine that has payroll information.
Fairly simple to break into, but it still requires a bit of skill.  This way
I can see who on the inside is snooping around.  I can also to a degree see
the skill level, malicious intent, and morality (I have had employees tell
me there is an insecure machine on the network and offered to help repair
it) an of the employee.
  My biggest complaint with honeypots is that by installing a honeypot I
have one more machine running programs.  This machine is also attached to a
hostile environment.  Even though it is very unlikely then honeypot software
may have exploits (buffer problems, DOS, etc).
  Like I said earlier I did not want this to be an attack on anyone.  I want
to understand the "why's" of honeypots/IDS/Analyzers.  Wasn't the reason
Mitnick was caught was because of a honeypot setup by Tsutomu Shimomura.
Also wasn't after Mr. Mitnick entered the honeypot that he launched a
successful attack against Tsutomu Shimomura's legit network.

Jeff Smith

-----Original Message-----
From: Steven Chansky [mailto:Steven.Chansky@tasc.dot.gov]
Sent: Monday, August 27, 2001 7:06 AM
To: Lance Spitzner; matheny
Cc: focus-ids@securityfocus.com
Subject: RE: Effectiveness of a Honey pot


I agree with Lance's point of view.  I am the administrator of a commercial
honey pot product.  Being an administrator I have dealt with various issues
over the course of the last 1 1/2 years.

First, my honey pot cannot be hacked or cracked.  It does not respond to any
service sent to it.  This includes pings, snmp, and what ever else.  The
only way is ssh from a designated machine that is inside our firewall.  

Second, no one, even a hacker can distinguish the honey pot machines from
the real machines in our dmz.  In fact the users on site, do not even know
that my honey pots exist.  From the web, they look like any other machines.
I have 4 different virtual operating systems on my honey pot.  This
includes, x86 Redhat Linux 5.0 and 5.1, Solaris 2.5.1 and 2.6, Windows NT
4.0, and SunOS 4.1.4.
In addition, I have the ability to decide which services, I want to be
available on the server.  I have checked these services by using nmap and
they do show what I want.

Thirdly, we have a honey pot spead out in our dmz subnet and we have a honey
pot on the inside subnet to catch any one internal who wants to snoop
around.

Fourth, the honey pot is a tool that is used in addition to our ids's.
Since my honeypot's virtual ip addresses are spread through out our 254
addresses in our dmz, it is very easy to detect when some one is trying to
either hack, crack, or probe our dmz.  The honey pot just sits their
capturing all data.  It is very useful for verifying attacks.  I use the
captured information to correlate events with my ids's and with the firewall
logs.  In addition, we have this honey pot set up to send an email anytime
there is activity to my email and it pages me also.

But the real bottom line, is that a honey pot is extremely useful.  Only
people that do not have a honey pot would say that it is not useful.

Steve Chansky
Network Security Engineer
U.S. Department of Transportation
DOT/TASC
Washington, D.C.



-----Original Message-----
From: Lance Spitzner [mailto:lance@honeynet.org]
Sent: Sunday, August 26, 2001 11:54 PM
To: matheny
Cc: focus-ids@securityfocus.com
Subject: Re: Effectiveness of a Honeypot


On Sun, 26 Aug 2001, matheny wrote:

> Has anyone done an analysis on the effectiveness of a honeypot? I checked
out the
> honeynet project, but they didn't have anything like what I was looking
for. The
> reason I bring it up is, it seems that a honeypot would be almost
completely
> useless. My thinking behind this is a.) script kiddies generally go after
machines
> that are exploitable, and don't neccesarily care about an interesting
target so
> this probably won't divert them from attacking and b.) your experienced
hackers
> will probably realize this is a honeypot (maybe, maybe not, but this has
been my
> experience). So neither of these people are being diverted by the
honeypot. Anyone
> have any positive or negative experiences with honeypots in the real
world?

Matheny,

Excellent questions.  Here are some personal thoughts of mine that might
help.
I feel the biggest misconception about honeypots is that people often
disagree
on if they work or not, without even first deciding what it is they want to
achieve.  I believe honeypots are not a solution, they are a tool.  Before
you
discuss the effectiveness of honeypots, you need to decide what you intend
to
achieve with that tool.  For example, here is a simple breakdown of how
honeypots can be used, its up to you to decide what is the best honeypot and
its effectiveness.

Using the Bruce Schneier breakdown of security (prevention, detection,
and reaction), I feel honeypots can and cannot add value to security as
follows.

PREVENTION:
-----------
Personally, I feel that honeypots contribute little to prevention.  You are
much better off disabling services, patching systems, and checking
passwords.
Yes, the bad guy may be diverted to attack your honeypots, but he is
probably
also attacking your production systems at the same time (for example,
Worms).  In my opinion, not worth the investment.

DETECTION:
----------
I feel this is where honeypots can excel in a production environment.  IDS
sensors can become overwhelmed with False Positives, and miss the False
Negatives.  Honeypots (if used properly) can reduce both False Positives and
False Negatives, improving your detection capabilities.  However, they can
also introduce more risk.

REACTION:
---------
Honeypots can add value to reaction.  Often when a system has been
compromised,
it is so polluted with system and user activity it can be difficult
determining
what happened.  If a honepot is compromised, it is far easier to analyze and
determine what happened and when.  The lessons learned can then be applied
to
your production environment. For example, Ryan Russell of securityfocus.com
used a honeypot to capture and analyze the Code Red v2 Worm, incidents.org
has
also used the same approach.  Once again, the honeypot may introduce more
risk more require more resources then the return.


RESEARCH:
---------
There is one other field that I see honeypots adding value, and that is
research.  Honeypots can be used to learn the tools, tactics, and motives
of the bad guys.  Blackhats can be a difficult community to learn about
and understand.  Honeypots can be used to gain that intelligence.  This is
the goal of the Honeynet Project, which I feel has demonstrated the research
potential of honeypots.  However, research honeypots require an enourmous
amount
of time and resources.  Most organizations are far better off investing
their
time and effort in securing their existing organization.


THE MORAL:
----------
So, the moral of the story is, before you ask if honeypots are effective,
ask what it is you are trying to achieve :)

lance

PS, I hoping to finish a paper on these concepts soon, in my copious
free time :)

[prev in list] [next in list] [prev in thread] [next in thread]