honeypots
DESCRIPTION
TRANSCRIPT
An Introduction to An Introduction to HoneypotsHoneypots
J. Scott Christianson
J. Scott Christianson
Experience/Education– Worked for a consortium
of schools for eight years– Own and operate
Kaleidoscope Consulting– Firewall Installation– Network Design– M.A., Educational
Technology, The George Washington University.
Certifications– CISSP– SANS GIAC– MCSE– Cisco CNA 1.0, 2.0– CVE– NACSE Senior
Network Specialist– Sonicwall SCSA– Network +, etc.
Today’s Session
What is a Honeypot? Types of Honeypots Honeypot Deployment Demonstration Legal Issues Resources
Honeypot Defined
“A honeypot is a resource whose value is in being attacked or compromised. This means that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information.”
--Lance Spitzner
“Intrusion Deception Systems”
Honeypot Uses
Research– Discover new attacks– Understand the blackhat community and their attacks– Build some better defenses against security threats
Production– Distraction– Detect internal threats: “Policy/Law Enforcement”– Security Assessment (Constantly monitors the average
security provided by the network)
Honeypots Characteristics
Since Honeypots are not normally used by the organization, they will only be accessed by “intruders”
Honeypots collect very little data, and what they do collect is normally of high value.
Honeypots all share one huge drawback; they are worthless if no one attacks them
Honeypots can introduce risk to your environment.
Types of Honeypots
Honeypots are classified by the degree an attacker can interact with the operating system– The more an attacker can interact with a honeypot, the
more information we can potentially gain from it, however the more risk it most likely has.
Types– Low-Involvement Honeypot– Mid-Involvement Honeypot– High-Involvement Honeypot
Honeypot Deployment
A honeypot can be a specialized program running on a hardened machine (BOF, Specter, Mantrap, etc).
A honeypot can be an unpatched server. For example, a IIS server with the default install.– Use firewall to protect the outside world– Hogwash (Snort based IP scrubber)
http://hogwash.sourceforge.net/
Low/Mid Interaction Honeypot Runs on Microsoft OSs Specter can emulate one of 13 different operating
systems. As of Version 6.02, the IP stack is not emulated so IP
fingerprinting tools are not fooled. Custom fake password files and custom HTTP
content. Pricing: full version $899, Lite $599 www.specter.com
Virtual Honeypots
VMware ($299 from vmware.com)
Host Operating Systems is Hardened
Guest Operating Systems are the Honeypots (unpatched OSs)
Internet
Host Operating System
Guest OS Guest OS Guest OS
Honeynets
http://project.honeynet.org An extension of a Honeypot Network topology provides many
advantages over standard honeypot– Covert logging– More points of attack for a blackhatter– Looks realistic from the outside
Issues Raised: Privacy
Electronic Communication Privacy Act (18 USC 2701-11)
Federal Wiretap Statute (Title III, 18 USC 2510-22)
The Pen/Trap Statute (18 USC § 3121-27)
Issues Raised: Entrapment
Used only by defendant to avoid conviction
Cannot be held criminally liable for ‘entrapment’
Applies only to law enforcement Even then, most legal authorities consider
Honeynets non-entrapment
Issues Raised: Liability
You may be liable if your Honeynet system is used to attack or damage other non-Honeynet systems.– Decided at state level, not federal– Civil issue, not criminal
Resources
http://www.spitzner.net/