Firewall Wizards mailing list archives
Re: Intrusion Detection Systems, - Honeypots?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 27 Dec 2001 20:53:23 -0500 (EST)
On Wed, 26 Dec 2001, Lance Spitzner wrote:
On Tue, 25 Dec 2001, R. DuFresne wrote:heh heh, can't pass this up. Since we are talking about defence in depth, how about the use of honeypot technologies to add to detection? Honeypots have the advantage of reducing false positives while capturing false negatives.Perhaps in those specialised settings whence the company has the folks skilled to setup and care and feed for such a system, asumng this does not attrack additional alerts they have to respond to with short staff. But, considering that few companies have the skilled folks to setup and care and feed an IDS system, let alone skilled admins to securly rollout systems for the DMZ or the corporate backbone user services they are supposed to support, it seems like this might well be beyond those companies abilities.Ron, this is a common misconception about honeypot technologies. In fact, I feel honeypots are much simpler then IDS systems. There is no signature database to maintain, no signatures to be tweaked, and false positivies are dramatically reduced. Many honeypot solutions are fire and forget. Take a look at BackOfficer Friendly or SPECTER, I challenge you to find IDS solutions easier to install or deploy then these. Honeynpots are not going to solve all of our problems, however I feel they truly add value to security because of they work on a very simple concept. If you are interested, in go into greater detail in a whitepaper demonstrating these issues: Honeypots http://www.enteract.com/~lspitz/honeypots.html
Yet, in this article you state: I personally feel honeypots add little value to prevention, honeypots will not help keep the bad guys out. What will keep the bad guys out is best practices, such as disabling unneeded or insecure services, patching what you do need, and using strong authentication mechanisms. It is the best practices and procedures such as these that will keep the bad guys out. A honeypot, a system to be compromised, will not help keep the bad guys out. In fact, if incorrectly implemented, a honeypot may make it easier for an attacker to get in. Some individuals have discussed the value of deception as a method to deter attackers. The concept is to have attackers spend time and resource attacking honeypots, as opposed to attacking production systems. The attacker is deceived into attacking the honeypot, protecting production resources from attack. While this may prevent attacks on production systems, I feel most organizations are much better off spending their limited time and resources on securing their systems, as opposed to deception. Deception may contribute to prevention, but you will most likely get greater prevention putting the same time and effort into security best practices. Also, deception fails against two of the most common attacks today; automated toolkits and worms. Today, more and more attacks are automated. These automated tools will probe, attack, and exploit anything they can find vulnerable. Yes, these tools will attack a honeypot, but they will also just as quickly attack every other system in your organization. If you have a coffee pot with an IP stack, it will be attacked. Deception will not prevent these attacks, as there is no consciously acting individual to deceive. As such, I feel that honeypots add little value to prevention. Organizations are better off focusing their resources on security best practices. Granted you go on to mention that in the detection realm they function to lower the false positive level and thus false alarms. But, of the two examples of honeypots, BackOfficer is pretty specialized, SPECTER is listed specifically as an IDS. If a specific system or set of systems are not setup as honeypot servers in total, from the OS up, as in chroot'ed jails, this implies one has alot of specialised honeypot code, for each specific attack vector as in the first listed, BackOfficer, to setup and log from, this might well work to counter the simplicity of installation and deployment, does it not? Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Intrusion Detection Systems, Best of breed?, (continued)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 27)
- RE: Intrusion Detection Systems, Best of breed? franks (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Robin S. Socha (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 27)
- Re: Intrusion Detection Systems, - Honeypots? R. DuFresne (Dec 28)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 28)
- Message not available
- Re: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 24)
- RE: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 25)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? John Adams (Dec 26)