RE: Moving forward with definition of honeypots

["David Watson" <David.Watson () ioko com>]

Fabien,

I agree. How a honeypot is defined should remain constant but the
context of how it can be used will change.

Borrowing your apple analogy, a honeypot might be "an information system
specifically deployed to covertly capture, record and optionally control
all forms of external interaction".

A honeypot can be used to research network attack techniques, protect
production systems, track unauthorised WLAN access or simply study
background Internet noise. The uses will probably change over time, but
what it is remains constant. 

Anyway, just my 2p worth to an interesting discussion.

Thanks,

David

David Watson           Voice: +44 1904 438000
Technical Architect    Fax:   +44 1904 435450
Ioko365       Email: david.watson () ioko com
 

> -----Original Message-----
> From: Fabien Pouget [mailto:Fabien.Pouget () eurecom fr]
> Sent: 21 May 2003 09:38
> To: 'Lance Spitzner'; honeypots () securityfocus com
> Cc: 'Marc Dacier'
> Subject: RE: Moving forward with defintion of honeypots
>
>
>
>
> Hi Lance,
>
>
> The two options answer the question: what is the use of a honeypot?
> But they do not answer the following: What is a honeypot?
>
> So I consider that both are not really definitions.
>
> Let's take an apple. It can be used as marmalade, stewed fruit,
> inspiration source (Newton), etc. But that is not an apple definition.
> An apple is "a round fruit with a firm white inside and a green, red
or
> yellow skin".
>
> A honeypot definition must define the intrinsic characteristics of a
> honeypot.
> Honeypot usages may change over time, but its definition must remain
the
> same.
>
> Hope that helps,
>
> Cheers,
>
> Fabien
>
>
>
>
>
>
> -----Original Message-----
> From: Lance Spitzner [mailto:lance () honeynet org]
> Sent: mardi 20 mai 2003 05:23
> To: honeypots () securityfocus com
> Subject: Moving forward with defintion of honeypots
>
>
> In the past week we have received over thirty postings
> about the definition of honeypots, each posting suggesting
> a different defintion.  I think we are all beginning to
> realize just how tough it is to define this technology. Honeypots are
an
> extremely powerful tool that can accomplish many different things.
Some
> trends I've noticed.
>
> First, many people are including the term 'decoy' in the
> definition.  While honeypots can 'decoy', I don't think
> that should be in the definition.  The term decoy implies
> "to lure or entrap".  Often honeypots don't lure.  You just
> put them out there and the bad guys find them on their own
> intiative, nothing special is done to insare the attacker.
> The Honeynet Project has being doing this for years now.
>
> Second, many people are including in the definition how honeypots are
> used to learn or research.  Once again, while honeypots can do this,
> they can do so much more. They
> can be used for preventing attacks (such as LaBrea Tarpit)
> or be used purely for detection similar to an IDS
> system (such as Honeyd).  We have to be very careful
> in our defintion to ensure we do not imply why we would
> want to use a honeypot.
>
> Honeypots do not solve a specific problem, they are a
> highly flexible tool with many different applications to security.
This
> is one of the things that makes honeypots unique.
>
> Based on all the feedback we have been getting, I've
> narrowed this down into two options.
>
> Thoughts?
>
>
> OPTION A
> --------
>   "A honeypot is an information system resource who's
>    value lies in being probed, attacked, or compromised"
>
>
> OPTION B
> --------
>   "A honeypot is an information system resource who's
>    value lies in monitoring unauthorized or illicit use of
>    that resource"
>
>
> --
> Lance Spitzner
> http://www.tracking-hackers.com