Hi,
Just in the middle of writing up my final year project on Honeypots.
But, I'm struggling with explaining the difference between an IDS and a Honeypot.... can someone help me out?
Preferably, something I can reference.
Thanks
Printable View
Hi,
Just in the middle of writing up my final year project on Honeypots.
But, I'm struggling with explaining the difference between an IDS and a Honeypot.... can someone help me out?
Preferably, something I can reference.
Thanks
Hi Rude,
I cannot give you references right now, I would need to check another couple of my boxes.
At a high level overview:
1. An IDS is just what it says: Intrusion Detection System. You are looking for unusual and (presumably) unauthorised attempts to ingress and possibly egress (with valuable data) your systems.
2. A "honeypot" is a term derived from old fashioned methods of disposing of unwanted flying insects. Wasps, flies and such (Hornets and bees are excluded, but might be inadvertently caught if you design and execute inadequately)
You set up a system that looks like a "real" vulnerable system, and monitor the attack volumes, vectors and so on.
You may use similar analytical tools, but the IDS is designed to protect and monitor a live production environment, whereas the honeypot is intended to draw them in. :)
Thanks for the reply Nihil,
So, I could say that the machine I have setup (XP with KF Sensor), is an Intrusion Detection System by the fact that it logs all activity, and they Honeypot aspect of it is the "vulnerable" system which is luring them in?
Assuming I'm right, I just gotta find a clever way of wording it and find some decent references distinguishing between the two - all the ones I've read so far don't really distinguish between them as well as I'd hoped.
Kind Regards
Well, I have a question: How do they setup a honeypot?
I assume that it must be on the same network on which the original production system is running. This must make the intruders think that they are attacking the main system or network. Now when this is done, there must be some sort of protection installed (may be using firewall) which must block those attacks which come to the orginal system/network.
What sort of set up would prevent this type of attacks?
Hi Rude,
You are basically correct. This is a simple definition of an IDS:
http://en.wikipedia.org/wiki/Intrusion-detection_system
Basically it is a tool for monitoring and reporting systems activity for things that are unauthorised, unusual and so forth. In a way, systems logs can be used for this purpose but they generally contain rather too much detail.
A decent IDS tool will parse the basic "activity log" type data and selectively report items that might be indicative of an intrusion.
Remember that intrusions can occur over the intranet in larger organisations................they are not purely internet phenomena. An organisation faces the same regulatory compliance requirements in respect of unauthorised employees as it does in respect of outsiders.
A "honeypot" is a decoy system set up with deliberate weaknesses and a high profile to attract attacks for the purpose of analysis. It does not mandate an IDS, as the activity logs could be used.
An IDS is a defense, a honeypot is not.
An IDS will never get you charged with "entrapment", a honeypot might.
And NO, you do not set up a honeypot on a production system/network......... that would be foolish in the extreme. ;)
EDIT: These links might be of interest:
http://www.activeworx.org/Default.aspx?tabid=61
http://www.ukhoneynet.org/tools/honeysnap/
This is inaccurate. A passive device such as an IDS is an alerting tool, not a defense mechanism. It alerts you *after* an event has happened, it does not defend against the actual event.Quote:
An IDS is a defense, a honeypot is not.
Honeypots are research tools, IDS devices are alerting tools.
--TH13
Thanks Nihil and thehorse13,
I think I got it sorted now, with appropriate references.:)
Now coming up to the long bit of having to get my results documented.:(
Good point, particularly as Rude is writing an academic paper, so precise definitions are important.
To provide real time protection the system would have to be preventative. So I guess it would be an IPS rather than an IDS?
It is a sign of the times I think, security products are becoming hybridised? like not so long ago you would talk about "Norton AV", "McAfee AV" and so on. Today they are all trying to market "security suites" with all sorts of stuff included.
Rude, please use --TH13's definition, it is the technically correct one............ I am afraid I am getting corrupted by my environment and starting to talk like an "oik" :D
Well can someone tell the answer to my question? (some posts above)?
Well, from what I have read, a company can set it up where they like, but it is usually within a DMZ on their network, as a hacker would find that before their secured network... that's when they want to distract a hacker from their real systems and resources.Quote:
Originally Posted by jockey0109
However, if they wanted a true analysis of their actual network, then they could place it within the normal LAN.
As you have probably already gathered, I'm no expert, so probably totally wrong, lol.
Kind Regards