Announcement

Collapse
No announcement yet.

Honeypot

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Honeypot

    I have an admin that took it upon himself to install a honeypot trojan on our network. He claims he did it to catch viruses coming into our network, but I see it as opening holes in our network if some one smart in that field sees this.

    Can this be good for us in any way?

    I was told by a co-worker that this attracts hackers, is this true?

    Any info on this would be much appreciated.

    P.S. Sorry if I placed this in the wrong category, but I didn't really see any that was related to this.

  • #2
    Re: Honeypot

    IMHO nowerdays honeypots doesn't have a lot of use.
    It's actually to fool a possible intruder like a decoy. It hasn't nothing to do agast viruses.
    However if you have your security in place you don't really need it.

    I think that you are better of with a IDS/IPS environment.
    I haven't seen a single customer (and we have a lot of them) who is running a honeypot

    read more about it at:
    http://en.wikipedia.org/wiki/Honeypot_(computing)
    http://www.honeypots.net/
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Honeypot

      Thank you Dumber, I've come to trust your advice and expertise.

      Thanks again.

      Comment


      • #4
        Re: Honeypot

        Although many IDS/IPS systems provide a lot of coverage in terms of security, there is no harm on deploying a "honeypot" as well.
        Based on the principle of "Defense in depth" I can't see no harm on deploying such a system as long as deployed with other IDS/IPS systems.
        The adverse effect would be attracting a certain type of attackers, the "Script kiddies" that do let's say a port scan on a range of addresses.
        But it could be effective in certain scenarios, when the attack is targeted.

        P.S. Daniel, where did you find that picture?
        Last edited by L4ndy; 19th February 2009, 11:39. Reason: Just noticed now the Tinfoil hat post..
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Honeypot

          It won't harm but also it's rather useless.
          You need to setup an active monitoring system and block the possible intruder.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Honeypot

            Originally posted by Dumber View Post
            It won't harm but also it's rather useless.
            You need to setup an active monitoring system and block the possible intruder.
            I'd have to disagree on this one I'm affraid mate.
            Based on the view that Security is seen often as a three layered process (Prevention, Detection and Response), I'd really consider Detection as the most important one.
            With that in mind and the fact that most new attacking methods can relatively easily bypass an IDS system, creating another means of detection (In the form of Honeypots) might generate valuable information on the attacker, which can be used for the other two processes (Prevention and Response).

            In that sense they can be a valuable tool.
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: Honeypot

              Still I disagree and we probably will be.
              You are putting by purpose a machine at risk which attracts script kiddies. A hacker will see it quickly enough that's a honeypot.
              Only by deep analyzing the data you might find a way to stop them.

              Well first of all, protect your network against internal users. A user is more capable to breaking the system then a script kiddie.
              Internal attacks are still causing the majority of problems. A honeypot won't help you with this.
              So simple, Teach your users.

              Second, protect your clients by using a decent AV (and or Firewall like vista and windows 7 does) like Mcafee, Trend, Forefront or whatever (skip symantec )
              third simply put a decent firewall on the Edge like ISA, TMG (you have to wait a bit more) or whatever you like.


              However, it's my opinion, I found them not nessesary (better maybe then useless? )
              I'm not saying you may not use them but I won't. Also it costs to much time for log analyzing
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Honeypot

                I would argue that implementing a honeypot is not a valid form of detection. It's like leaving the bank vault open to tempt a burglar to circumvent your other security measures. Why not just leave the bank vault closed to begin with? Why advertise yourself to hackers or taunt them in to hacking your network? It's like saying "Hey all hackers, here's my honeypot, see what you can do with it. When you're tired of that why not try the rest of my network as well".

                Comment


                • #9
                  Re: Honeypot

                  Well and that's about exactly what I'm trying to say however yes it can be used as a form of detection.
                  A bit more experienced hacker can easily detect that he is targeting on a honeypot....
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Honeypot

                    That is what I read joeqwerty, it's like tempting someone to get in and as Dumber said, an experienced hacker can manipulate that as well.

                    I guess you can be smart and very knowledgable at what you do, but if your not disciplined it will be you down fall.

                    Comment


                    • #11
                      Re: Honeypot

                      I would also agree with Dumber etc. In my view, it would be akin to leaving your door wide open when you're out and hiding a CCTV camera in your hallway so that you can see who it was who stole your TV, rather than just locking your door.
                      Gareth Howells

                      BSc (Hons), MBCS, MCP, MCDST, ICCE

                      Any advice is given in good faith and without warranty.

                      Please give reputation points if somebody has helped you.

                      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                      Comment


                      • #12
                        Re: Honeypot

                        There is something similar to a Honeypot that is sometimes used or can be. Should only an IDS be used, there is the possibility of that intruder being transferred to a 'padded cell', so isolates the intrusion to there. This padded cell can be monitored and may give ideas of how an intruder is trying to circumvent the system, so you can patch your live one. After all, if they have been transferred to the padded cell, they have already successfully entered. The padded cell can be setup to look like an actual live environment. This will also minimise risk to a system whilst you analyse the IDS logs and patch the flaw.

                        Comment


                        • #13
                          Re: Honeypot

                          Originally posted by gforceindustries View Post
                          In my view, it would be akin to leaving your door wide open when you're out and hiding a CCTV camera in your hallway so that you can see who it was who stole your TV, rather than just locking your door.
                          Honeypots are isolated from the production network (Should be anyway) so this analogy doesn't stand. What would be more appropriate though is to compare it with the same scenario but in the detached garage instead of the hallway.
                          Although the garage does have vulnerabilities(Highly visible and easily accesible from the road, Small broken window etc), it shoudn't act as advertisement but as a possible "Way In" for the inexperienced attacker. This way he could leave loads of Info without even attempting to have a go at the house.
                          Some sort of attackers might just give up at this stage and move on, thanks to the honeypot.
                          Can I just say that, no Security measures can fully protect a system from a determined and motivated attacker. However, by having a "security in depth" approach, one can minimise or deterr some attacks.
                          There seem to be clearly two approaches to security in here and None of them is wrong or right, but what I would say though is that Honeypots can be quite useful in certain scenarios.
                          Caesar's cipher - 3

                          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                          SFX JNRS FC U6 MNGR

                          Comment


                          • #14
                            Re: Honeypot

                            L4ndy. I agree with you here. If it is using your analogy, intruders are enticed to access the garage as the doors have been left open or windows and they intruder decides whether to enter. Therefore, they can can be monitored and gives more credibilty for using evidence against them.

                            And of course, security in-depth is achieved. Should they then try to enter the real system, another protection barrier(s) will be there. This also acts to slow down and take their attention away from attempting to circumvent the real system controls in place.

                            Should the honeypot be used an 'entrapment', and somebody actively encourages an intruder to enter, it is deemed a illegal activity of the department or IT staff trying to do this.

                            Honey Pots are still covered in the CISSP program.

                            With reference to this post, I am not sure where the Honey Pot was placed and the way it was used.

                            Comment


                            • #15
                              Re: Honeypot

                              Having a honeypot machine/network, out of your network, could be useful to identify new threats and rules to add to an IDS, but in reality, nobody's going to set one up and have the time to check it out and develop rules faster than the IDS vendors who do it for a living I suppose.

                              I don't see it hurting much, as long as it really is totally separated of course.
                              VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                              Comment

                              Working...
                              X