Re: Intrusion Detection Systems, - Honeypots?

[Lance Spitzner <lance () honeynet org>]

On Tue, 25 Dec 2001, R. DuFresne wrote:

> > heh heh, can't pass this up. Since we are talking about defence in depth,
> > how about the use of honeypot technologies to add to detection?  Honeypots
> > have the advantage of reducing false positives while capturing false
> > negatives.
>
> Perhaps in those specialised settings whence the company has the folks
> skilled to setup and care and feed for such a system, asumng this does not
> attrack additional alerts they have to respond to with short staff.  But,
> considering that few companies have the skilled folks to setup and care
> and feed an IDS system, let alone skilled admins to securly rollout
> systems for the DMZ or the corporate backbone user services they are
> supposed to support, it seems like this might well be beyond those
> companies abilities.

Ron, this is a common misconception about honeypot technologies.  In
fact, I feel honeypots are much simpler then IDS systems.  There is no signature
database to maintain, no signatures to be tweaked, and false positivies are
dramatically reduced.  Many honeypot solutions are fire and forget.  Take
a look at BackOfficer Friendly or SPECTER, I challenge you to find IDS
solutions easier to install or deploy then these.  Honeynpots are not
going to solve all of our problems, however I feel they truly add value
to security because of they work on a very simple concept.  If you are
interested, in go into greater detail in a whitepaper demonstrating
these issues:

  Honeypots
  http://www.enteract.com/~lspitz/honeypots.html

lance

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards