HONEYPOTS FOR NETWORK SECURITY

Abstract

Honeypots are an exciting new technology. They allow us to turn the tables on the bad guys.
In the past several years there has been growing interest in exactly what this technology is
and how it works.A honeypot is used in the area of computer and Internet security. It is a
resource, which is intended to be attacked and computerized to gain more information about
the attacker, and used tools. One goal of this paper is to show the possibilities of honeypots
and their use in research as well as productive [Link] to an intrusion
detection system, honeypots have the big advantage that they do not generate false alerts as
each observed traffic is suspicious, because no productive components are running in the
system.
1. Introduction

Global communication is getting more important every day. At the same time, computer
crimes increasing. Counter measures are developed to detect or prevent attacks-most of these
measures are based on known facts, known attack patterns. As in the military, it is important
to know, who your enemy is, what kind of strategy he uses, what tools he utilizes and what he
is aiming for. Gathering this kind of information is not easy but important. By knowing attack
strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather as
much information as possible is one main goal of honey pot.

A honey pot is primarily an instrument for the information gathering and learning.
Its primary purpose is not to be ambush for the black hat community to catch them in action
and to press charges against them. The lies on silent collection of as much information as
possible about their attack patterns, used programs, purpose of attack and black hat
community itself. All this information is used to learn more about the black hat proceedings
and motives as well as their technical knowledge and abilities. This is just primary purpose if
honeypot. There are a lot of other possibilities for a honeypot-divert hackers form productive
systems for catch a hacker while conducting an attack are just two possible examples.

Honey pots are not the perfect solution for solving or preventing computer crimes.
Honey pots are hard to maintain and they need the good knowledge about the operating
systems and network security. In the right hands honey pot is effective tool for the
information gathering. In the wrong, inexperienced hands, a honey pot can become another
infiltrated machine and an instrument for the black hat community.

2. Honey pot basics

A honeypot is a resource whose value is being in attacked and compromised. This

means, that a honeypot is expected to get probed, attacked and potentially exploited.

Honeypot do not fix anything. They provide us additional, valuable information.

A honeypot is a resource, which pretends to be real target. A honeypot is expected to be
attacked or compromised. The main goals are the distraction of an attacker and the gain of the
information about the attack and the attacker.

Value of honeypots:

There are two categories of honeypots.

 Production honeypots
 Research honeypots
A production honeypot is used to help migrate risk in an organization while the
second category, is meant to gather as much information as possible. These honeypots do not
add any security value to an oraganition, but they can help to understand the blackhat
community and their attacks as well as to build some better defenses against security threats.
A properly constructed honeypot is put on a network, which closely monitors the traffic to
and from the honeypot. This data can be used for a variety of purposes.

 Forensicsanalyzing new attacks and exploits

 Trend analysislook for changes over time of types of attacks,techniques,etc
 Identificationtracks the bad guys back to their home machines to figure out who
they are.
 Sociologylearn about the bad guys as a group by snooping on email, IRC traffic, etc
which happens to traverse the honeypot.
In general every traffic from and to a honeypot is unauthorized activity. All the data
that is collected by a honeypot is therefore interested data. Data collected by the honeypot is
of high value, and can lead to better understanding and knowledge which in turn can help to
increase overall network security. One can also argue that a honeypot can be used for
prevention because it can deter attackers from attacking other systems by occupying them
long enough and bind their resources.

3. Concepts:

3.1. Low-involvement honey: A low-level involvement honeypot typically only

provides certain fake services. In a basic form, these services could be implemented by
having a listener on specific port.
In such a way, all incoming traffic can easily be recognized and stored. With such a simple
solution it is not possible to catch communication of complex protocols. On a low-level
honeypot there is no real operating system that attacker can operate on. This will minimize
the risk significantly because the complexity of an operating system is eliminated. On the
other hand, this is also disadvantage. It is not possible to watch an attacker interacting with
operating system, which could be really interesting. A low-level honeypot is like one-way
connection. We only listen, we do not ask any questions.

3.2. Mid-involvement honeypot

A mid-involvement honeypot provides more to interact with but still does not
provide a real underlying operating system. The fake daemons are more sophisticated and
have deeper knowledge about the specific services they provide. At the same moment, the
risk increases. The probability that attacker can find a security hole or vulnerability is getting
bigger because the complexity of honeypot is increasing.

Through the higher level of interaction, more complexity attacks are possible and
can therefore be logged and analysed. The attacker gets a better illusion of a real operating
system. He has more possibilities to interact and probe the system. Developing a mid-
involvement honeypot is complex and time consuming. Special care has to be taken for
security check as all developed fake daemons need to be as secure as possible.
3.3. High-involvement honeypot: A high-involvement honeypot has a real underlaying
operating system. This leads to much higher risk as the complexity increases rapidly. At the
same time, the possibilities to gather the information, the possible attacks as well as the
attractiveness increase a lot. As soon as a hacker has gained access, his real work and
therefore the interesting part begins.

A high-involvement honeypot is very time consuming. The system should be constantly

under surveillance. A honeypot which is not under control is not of much help even become a
danger or security hole itself. It is very important to limit a honeypot’s access to local
intranet, as the honeypot can be used by blackhats as if it was a real compromised system.
Limiting outbound traffic is also important point to consider, as the danger once a system is
fully compromised can be reduced.

By providing a full operating system to attacker, he has the possibilities to upload

and install new files. This is where the high-involvement honeypot can show its strength, as
all its actions can be recorded and analyzed.
4. Honeypot location: A honeypot does not need a certain surrounding environment, as it
is a standard server with no special needs. A honeypot can be placed anywhere a server could
be placed. But certainly, some places are better for certain approaches as others.

A honeypot can be used on the Internet as well as the intranet, based on the
needed service. Placing a honeypot on the intranet can be useful if the detection of some bad
guys inside a private network is wished. If the main concern is the Internet, a honeypot can be
placed at two locations:

1. In front of firewalls (Internet)

2. DMZ

3. Behind the firewall (Intranet)

By placing the honeypot in front of firewall the risk for the internal works does not increases.
A honeypot will attract and generate lot of unwished traffic like port scans or attack patterns.
By placing a honeypot outside the firewall, such events do not get logged by the firewall and
an internal IDS system will not generate alerts. Otherwise a lot of alerts would be generated
on the firewall or IDS.

Probably the biggest advantage is that the firewall or IDS, as well as any other
resources, have not to be adjusted as the honeypot is outside the firewall and viewed as any
other machine on the external network. Running a honeypot does therefore not increase the
dangers for the internal network nor does it introduce new risks.

The disadvantage of placing a honeypot in front of the firewall is that internal

attackers cannot be located or trapped that easy. Placing a honeypot inside DMZ seems a
good solution as long as the other systems inside the DMZ can be secured against the
[Link] DMZs are not fully accessible as only needed services are allowed to pass the
firewall. In such a case, placing the honeypot in front of the firewall should be favored as
opening all corresponding ports on the fire is too time consuming and risky.

A honeypot behind a firewall can introduce new security risks to the internal
network, especially if the internal network is not secured against the honeypot through
additional firewalls. This could be a special problem if the Ips are used for authentication. By
placing the honeypot behind a firewall, it is inevitable to adjust the firewall rules if access
from internet should be permitted. The biggest problem arises as soon as the internal
honeypot is compromised by an external attacker. He gains the possibility to access the
internal network through the [Link] traffic will be unstopped by the firewall as it is
regarded as traffic to the honeypot only, which in turn is granted. Securing an internal
honeypot is therefore mandatory, especially if it is a high-involvement honeypot. The main
reason for placing a honeypot behind a firewall could be to detect internal attackers.

The best solution would be to run a honeypot in its own DMZ, therefore with a
preliminary firewall. The firewall could be connected directly to the internet or intranet,
depending on the goal. This attempt enables tight control as well as flexible environment with
maximal security.
5. Host based information gathering:

This section will discussion possibilities that offer gain of information about
ongoing on a honeypot by installing information gathering mechanisms on the honeypot
itself.

Basic possibilities : Information gathering facilities can basically be grouped into two
categories; facilities that generate streams of information and facilities that offer the
information to peek into the system and get the information about a certain state of the
honeypot.

Microsoft windows

One could think the large amount of observed attacks on systems running ms
windows operating system makes them ideal for the honeypot, but unfortunately the structure
of this operating system makes the data gathering rather difficult. Until today the source code
of the operating system of Microsoft is not freely available, which means that changes to the
operating system are very hard to achieve.

UNIX derivates

Unix derivatives operating system offers interesting opportunities for deploying data
gathering mechanisms since all of their components are available as source code.
 Network based Information Gathering: Host based information gathering is always
located at the host itself and is therefore vulnerable to detection and once detected it can also
be disabled. Network based information gathering does not have to be located on the
honeypot itself. It can also be implemented in an invisible way, as network traffic only gets
analyzed but not manipulated. Network based information gathering is safer as it is harder to
be detected and quiet impossible to disable.

6. Dangers: Running a honeypot or honeynet is not something that should be

underestimated- there are some dangers one must be aware of which basically are:

1. Unnoticed takeover of the honeypot by an attacker

2. Lost control over the honey pot installation.

3. Damage done to third party.

7. Attractiveness

Being the owner of a honeypot can be an interesting experience, but what if the
members of the blackhat community do not find their way to the honeypot or, even more
dramatically, are not interested in the honeypot at all. Another approach to lure attackers is
the offering of the interesting services on the honeypot. Of course the question arises, what an
interesting services is or what it should look like.
8. Advantages

 Small Data setsHoneypots only collect attack or unauthorized activity, dramatically

reducing the amount of data they collect. Organizations that may log thousands of
alerts a day may only log a hundred alerts with honeypots. This makes the data
honeypots collect much easier to manage and analyze.
 Reduced False PositivesHoneypots dramatically reduce false alerts, as they only
capture unauthorized activity.
 Catching False NegativesHoneypots can easily identify and capture new attacks
never seen before.
 Minimal ResourcesHoneypots require minimal resources, even on the largest of
networks. This makes them an extremely cost effective solution.
 EncryptionHoneypots can capture encrypted attacks.

9. Disadvantages

 Single Data PointHoneypots all share one huge drawback; they are worthless if no
one
 Attacks them. Yes, they can accomplish wonderful things, but if the attacker does not
sent any packets to the honeypot, the honeypot will be blissfully unaware of any
unauthorized activity.
 RiskHoneypots can introduce risk to your environment. As we discuss later,
different honeypots have different levels of [Link] introduce very little risk, while
others give the attacker entire platforms from which to launch new attacks, Risk is
variable, depending on how one builds and deploys the honeypot.
10. Conclusion

A honeypot is just a tool. How you use that tool is up to you. There are a variety of honeypot
options, each having different value to organizations. We have categorized two types of
honeypots, production and research.

Production honeypots help reduce risk in an organization. Research honeypots are different in
that they are not used to protect a specific oraganization. Instead they are used as a research
tool to study and identify the threats in the Internet community. Regardless of what type of
honeypot you use, keep in mind the ‘level of interaction’. This means that the more your
honeypot can do and the more you can learn from it, the more risk that potentially exists. You
will have to determine what is the best relationship of risk to capabilities that exist for
[Link] will not solve an oraganization’s security problems. Only best practices can
do that. However, honeypots may be a tool to help contribute to those best practices.