Seeing the forum title, it got me thinking... and well, what are honeypots? And, are they any better than firewalls?
Printable View
Seeing the forum title, it got me thinking... and well, what are honeypots? And, are they any better than firewalls?
A computer set up to lure an attacker toward it rather than the key systems on a network. I'm sure someone will expand on it but that's what a honeypot is basically.
msmittens in this thread: http://www.antionline.com/showthread...hreadid=240611Quote:
Well if you really want I can send you my powerpoint on Honeypots. I just taught that a couple of weeks ago.
Basically, honeypots or honeynets are computers or networks setup to attract activity to them. The reasoning for attracting the activity varies: sometimes its to encourage attackers to stay away from the "goodies", sometimes its for an EWS, sometimes its for research. The reasoning why usually will determine the complexity of the honeypot.
Low interaction honeypots like Back Officer Friendly are more for the detect and EWS concept. They give little to no interaction with the attacker. They also have the lowest risk.
Medium interaction honeypots have some interaction but tend to be limited. Often, they incorporate "jailed" environments where attackers can only do so many things. They have some risk. Sometimes they are used to detect attacks before they happen.
The last one has the highest risk and is the cheapest but most difficult to setup. High interaction is usually when you setup a full system live on the internet. You also get the greatest research value out of it.
The Honey Net Project is a good place to learn. Additionally, Lance Spitzner's Honeypots is a good and straighforward read about the art of Honeypots.
Obviously, one issue that has yet to be resolved is that of "entrapment". I do not think as of yet that Honeypots have been tested in a court of law.
Hope that helps.
Hint: Google
So they're not "better than firewalls" because they don't serve the same purpose as a firewall.Quote:
A host or network with known vulnerabilities deliberately exposed to a public network. Honeypots are useful in studying attackers' behavior and also in drawing attention away from other potential targets.
http://www.nwfusion.com/techinsider/...security2.html
Check out the Honeynet Project. They have some good info on their site as well as a live Linux CD that serves as a honeypot.
-edit-
Wow, I'm a slow poster :)
If you could post that powerpoint up, id quite fancy a read of it?
Cheers
Andy
"entrapment is where a police officer or other law enforcement officer induces a person to commit a crime that the person wouldn’t have committed otherwise for the purpose of bringing a criminal prosecution against that person"
- http://www.legal-definitions.com/entrapment.htm
(Not the best legal site, but good plain English answers.)
Clearly this wouldn't be an issue with honeypots unless the cop was telling the attacker to break into the system. Merely having an insecure system does not qualify as inducing the attack.
cheers,
catch
Ya. I did once make the mistake of the entrapment issue. It's not as much of an issue really unless you're working with the police or for the police. Then it'd probably get into grey areas. I also wonder what the SuperDMCA laws would think of a honeypot if it was tested in court.
That said, Lance Spitzner, the King of Honeypot Knowledge IMO, did identify 3 areas of concern for honeypots.
Entrapment: can be an issue for some but for many not.
Liability: this is an obvious one since there is always a risk, particularly if you use a high-interactive, home-built honeypot, that it could be completely owned and then used for attacks elsewhere. The company potentially becomes liable for actions that it was used for.
Privacy: Now this one is one that I think it will take a court case to settle. Spitnzer says "either in the files placed on compromised systems by intruders and the interception of communication (usually IRC) relayed through Honeynets." It's an interesting twist (although with the Patriot Act, this may make this all rather moot since there is a lack of privacy specifically for the US but other countries may be different).
edit
I've added my Honeypot Presentation. Keep in mind this is a general presentation, not a HOW TO. How tos are why Google exists! :D (plus this is taught in a class where students do the research on the HOW TO).
That privacy thing got me thinking.........
What happens if I put banners all over the place?
"This is a monitored system. Any and all actions will be logged".
This won't stop an attacker but I think it'll hold up in court against any "privacy" issues.
But then again IANAL.
Theoretically yes. But AFAIK, honeypots have never been tested in courts. I suspect that most use it for research or EWS rather than for evidence in court proceedings and such.Quote:
This won't stop an attacker but I think it'll hold up in court against any "privacy" issues.
Have login banners been tested in court? In theory they have since if I'm not mistaken it's a US Government requirement that all login banners spew out the classic "it is punishable by law to obtain unauthorized access to this system" etc..