Re: Intrusion Detection Systems, - Honeypots?

["R. DuFresne" <dufresne () sysinfo com>]

On Wed, 26 Dec 2001, Lance Spitzner wrote:

> On Tue, 25 Dec 2001, R. DuFresne wrote:
>
> > > heh heh, can't pass this up. Since we are talking about defence in depth,
> > > how about the use of honeypot technologies to add to detection?  Honeypots
> > > have the advantage of reducing false positives while capturing false
> > > negatives.
> >
> > Perhaps in those specialised settings whence the company has the folks
> > skilled to setup and care and feed for such a system, asumng this does not
> > attrack additional alerts they have to respond to with short staff.  But,
> > considering that few companies have the skilled folks to setup and care
> > and feed an IDS system, let alone skilled admins to securly rollout
> > systems for the DMZ or the corporate backbone user services they are
> > supposed to support, it seems like this might well be beyond those
> > companies abilities.
>
> Ron, this is a common misconception about honeypot technologies.  In
> fact, I feel honeypots are much simpler then IDS systems.  There is no signature
> database to maintain, no signatures to be tweaked, and false positivies are
> dramatically reduced.  Many honeypot solutions are fire and forget.  Take
> a look at BackOfficer Friendly or SPECTER, I challenge you to find IDS
> solutions easier to install or deploy then these.  Honeynpots are not
> going to solve all of our problems, however I feel they truly add value
> to security because of they work on a very simple concept.  If you are
> interested, in go into greater detail in a whitepaper demonstrating
> these issues:
>
>   Honeypots
>   http://www.enteract.com/~lspitz/honeypots.html


Yet, in this article you state:

   I personally feel honeypots add little value to prevention, honeypots
   will not help keep the bad guys out. What will keep the bad guys out
   is best practices, such as disabling unneeded or insecure services,
   patching what you do need, and using strong authentication mechanisms.
   It is the best practices and procedures such as these that will keep
   the bad guys out. A honeypot, a system to be compromised, will not
   help keep the bad guys out. In fact, if incorrectly implemented, a
   honeypot may make it easier for an attacker to get in.

   Some individuals have discussed the value of deception as a method to
   deter attackers. The concept is to have attackers spend time and
   resource attacking honeypots, as opposed to attacking production
   systems. The attacker is deceived into attacking the honeypot,
   protecting production resources from attack. While this may prevent
   attacks on production systems, I feel most organizations are much
   better off spending their limited time and resources on securing their
   systems, as opposed to deception. Deception may contribute to
   prevention, but you will most likely get greater prevention putting
   the same time and effort into security best practices.

   Also, deception fails against two of the most common attacks today;
   automated toolkits and worms. Today, more and more attacks are
   automated. These automated tools will probe, attack, and exploit
   anything they can find vulnerable. Yes, these tools will attack a
   honeypot, but they will also just as quickly attack every other system
   in your organization. If you have a coffee pot with an IP stack, it
   will be attacked. Deception will not prevent these attacks, as there
   is no consciously acting individual to deceive. As such, I feel that
   honeypots add little value to prevention. Organizations are better off
   focusing their resources on security best practices.

Granted you go on to mention that in the detection realm they function to
lower the false positive level and thus false alarms.  But, of the two
examples of honeypots, BackOfficer is pretty specialized, SPECTER is
listed specifically as an IDS. If a specific system or set of systems are
not setup as honeypot servers in total, from the OS up, as in chroot'ed
jails, this implies one has alot of specialised honeypot code, for each
specific attack vector as in the first listed, BackOfficer, to setup and
log from, this might well work to counter the simplicity of installation
and deployment, does it not?


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  sysinfo.com
                  http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards