Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: IDS & Honeypot - Differences?

  1. #1
    Junior Member
    Join Date
    Apr 2007
    Posts
    5

    IDS & Honeypot - Differences?

    Hi,

    Just in the middle of writing up my final year project on Honeypots.

    But, I'm struggling with explaining the difference between an IDS and a Honeypot.... can someone help me out?

    Preferably, something I can reference.

    Thanks

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Rude,

    I cannot give you references right now, I would need to check another couple of my boxes.

    At a high level overview:

    1. An IDS is just what it says: Intrusion Detection System. You are looking for unusual and (presumably) unauthorised attempts to ingress and possibly egress (with valuable data) your systems.

    2. A "honeypot" is a term derived from old fashioned methods of disposing of unwanted flying insects. Wasps, flies and such (Hornets and bees are excluded, but might be inadvertently caught if you design and execute inadequately)

    You set up a system that looks like a "real" vulnerable system, and monitor the attack volumes, vectors and so on.

    You may use similar analytical tools, but the IDS is designed to protect and monitor a live production environment, whereas the honeypot is intended to draw them in.

  3. #3
    Junior Member
    Join Date
    Apr 2007
    Posts
    5
    Thanks for the reply Nihil,

    So, I could say that the machine I have setup (XP with KF Sensor), is an Intrusion Detection System by the fact that it logs all activity, and they Honeypot aspect of it is the "vulnerable" system which is luring them in?

    Assuming I'm right, I just gotta find a clever way of wording it and find some decent references distinguishing between the two - all the ones I've read so far don't really distinguish between them as well as I'd hoped.

    Kind Regards

  4. #4
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Well, I have a question: How do they setup a honeypot?

    I assume that it must be on the same network on which the original production system is running. This must make the intruders think that they are attacking the main system or network. Now when this is done, there must be some sort of protection installed (may be using firewall) which must block those attacks which come to the orginal system/network.

    What sort of set up would prevent this type of attacks?
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Rude,

    You are basically correct. This is a simple definition of an IDS:

    http://en.wikipedia.org/wiki/Intrusion-detection_system

    Basically it is a tool for monitoring and reporting systems activity for things that are unauthorised, unusual and so forth. In a way, systems logs can be used for this purpose but they generally contain rather too much detail.

    A decent IDS tool will parse the basic "activity log" type data and selectively report items that might be indicative of an intrusion.

    Remember that intrusions can occur over the intranet in larger organisations................they are not purely internet phenomena. An organisation faces the same regulatory compliance requirements in respect of unauthorised employees as it does in respect of outsiders.

    A "honeypot" is a decoy system set up with deliberate weaknesses and a high profile to attract attacks for the purpose of analysis. It does not mandate an IDS, as the activity logs could be used.

    An IDS is a defense, a honeypot is not.

    An IDS will never get you charged with "entrapment", a honeypot might.

    And NO, you do not set up a honeypot on a production system/network......... that would be foolish in the extreme.

    EDIT: These links might be of interest:
    http://www.activeworx.org/Default.aspx?tabid=61
    http://www.ukhoneynet.org/tools/honeysnap/
    Last edited by nihil; April 15th, 2007 at 12:56 PM.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    An IDS is a defense, a honeypot is not.
    This is inaccurate. A passive device such as an IDS is an alerting tool, not a defense mechanism. It alerts you *after* an event has happened, it does not defend against the actual event.

    Honeypots are research tools, IDS devices are alerting tools.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Junior Member
    Join Date
    Apr 2007
    Posts
    5
    Thanks Nihil and thehorse13,

    I think I got it sorted now, with appropriate references.

    Now coming up to the long bit of having to get my results documented.

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Good point, particularly as Rude is writing an academic paper, so precise definitions are important.

    To provide real time protection the system would have to be preventative. So I guess it would be an IPS rather than an IDS?

    It is a sign of the times I think, security products are becoming hybridised? like not so long ago you would talk about "Norton AV", "McAfee AV" and so on. Today they are all trying to market "security suites" with all sorts of stuff included.

    Rude, please use --TH13's definition, it is the technically correct one............ I am afraid I am getting corrupted by my environment and starting to talk like an "oik"

  9. #9
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Well can someone tell the answer to my question? (some posts above)?
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  10. #10
    Junior Member
    Join Date
    Apr 2007
    Posts
    5
    Quote Originally Posted by jockey0109
    Well, I have a question: How do they setup a honeypot?

    I assume that it must be on the same network on which the original production system is running. This must make the intruders think that they are attacking the main system or network. Now when this is done, there must be some sort of protection installed (may be using firewall) which must block those attacks which come to the orginal system/network.

    What sort of set up would prevent this type of attacks?
    Well, from what I have read, a company can set it up where they like, but it is usually within a DMZ on their network, as a hacker would find that before their secured network... that's when they want to distract a hacker from their real systems and resources.

    However, if they wanted a true analysis of their actual network, then they could place it within the normal LAN.

    As you have probably already gathered, I'm no expert, so probably totally wrong, lol.

    Kind Regards

Similar Threads

  1. Custom Web Based Honeypots with GHH
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 1
    Last Post: November 12th, 2008, 10:42 PM
  2. SMTP Relay Honeypot Tutorial
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 18
    Last Post: December 6th, 2005, 10:18 AM
  3. A General Honeypot Tutorial
    By alphabetarian in forum The Security Tutorials Forum
    Replies: 8
    Last Post: December 5th, 2005, 04:44 AM
  4. Advanced Web Based Honeypot Techniques
    By Soda_Popinsky in forum The Security Tutorials Forum
    Replies: 7
    Last Post: August 2nd, 2005, 04:39 PM
  5. Watching Hacker Attack Using Honeypot
    By sweet_angel in forum Firewall & Honeypot Discussions
    Replies: 9
    Last Post: January 23rd, 2003, 10:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •