Honeypots mailing list archives
Re: Usefulness of low-interaction honeypots.
From: Kostas K <acezerocool () yahoo com>
Date: 7 Sep 2003 20:22:52 -0000
In-Reply-To: <BEEOJPBFHHPOAIGIPIADGEEPCFAA.john () cadamier com> Time is money, i will never forget these words, but you build a honeypot from the moment you need it. You would never deploy an IDS if it was of no use. I agree that it takes more hours perhaps, than every thing in security measures, but as i mentioned a small company would never deploy a honeypot at least HIH because it is no use to them, maybe. Regarding the planning of a honeypot you place it in a strategic place or you filter the traffic with a router/firewall or you use an O/S that will act as a bridge. At least there are not many places to put a single honeypot. Then you have to consider things such as the placement of the IDS, and log server, but it is always a decision you have to make based on how secure your network can be an how succesful your honeypot can be. Furthermore HIH they are not there to provide protection, it's a decoy. In addition LIH will not protect your network in the way you want. Although it may scare away intruders, however, a clever one will try passive O/S fingerprinting. In case he/she finds that the service or O/S is trying to attack is fake, then he/she may attempt to attack other systems. Let's say that a small company has behind a firewall only an HTTP server and decides to deploy a honeypot, this is a good solution because, bad requests can be sent at the honeypot and the good ones to HTTP. But again with fragmentation or any other means attacker may succeed. How can you block them, honeypot either low or high can't. Then you need an NIDS or HBIDS that will co-operate with the firewall and capable of adding new rules. LIH will not have this kind of luxury because it is supposed to be "dummy" and even HIH. But the most common thing here between LIH and HIH is that if the intruder realises that data are sent from the honeypot to other machines on the network you got 90% chances of being exposed! Network Security does not offer tangible benefits, i would say mostly that offers benefits that are intangible. Apart from honeypots, say you got a firewall. This firewall took you 5 hours to configure, install etc. plus monitoring is needed. Till now nobody has attacked in a way that could jeopardize or reveal secrets of your company, this has happened for 2 main reasons" -the attackers made a small reconnaisance and found out that the firewall is infeasible, almost. -or they attacked the firewall but they managed nothing! So, although in the second case you were attacked, firewall protected you. I agree with you at the last paragraph. Regards Kostas
From a pure expense perspective, setting up a honeypot is not a minor
expense - the time spent configuring the machine is what costs and what employers look at. Time is not free. Machines often are, thanks to upgrades. But consider that it takes MANY hours to setup a fully patched Windows system - unless you're setting up the newest version of something (which is rare) it takes at least 3 hours to setup a Windows box and patch it = and that's assuming you have a fast machine and an idle T1 to download windows updates with. Same goes with Red Hat and Debian disto's too. Older PC's are slower too. Preparing it to be a honeypot afterwards takes planning and baseline profiling as well, and then you've got to setup some kind of monitoring. That's the time investment and that's the expense. Agreed that there is little protection provided by a high interaction honeypot, but they do provide intel on what people are trying or doing. The problem is that the benefits of this type of protection have less tangible results than a low interaction device protecting the outside. Also, a properly implemented a low interaction honeypot will not block everyone that talks to it - just those who connect to it under certain circumstances. If someone scans me, my LIH will respond to service scans with a syn-ack - it's when I get a syn-ack back that I consider them possibly hostile. Of course, baiting them on a little further is always good too - letting them see a apache or winnt iis page is good, providing them an FTP or telnet login is better - but if they try a directory traversal or start doing anything more complex than getting the home page or logging in, then I'll block them. Your post subject was about the usefulness of LIH, and a compare/contrast of what they do - I guess in this case it's somewhat clear - LIH is more suited to proactive network defense while HIH are more suited to research and learning techniques used in the wild. Honeynets are useful to amplify the results, good or bad.
Current thread:
- Usefulness of low-interaction honeypots. Kostas K (Sep 05)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 05)
- <Possible follow-ups>
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 06)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 06)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 07)
- Re: Usefulness of low-interaction honeypots. Lance Spitzner (Sep 07)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- RE: [inbox] Re: Usefulness of low-interaction honeypots. Curt Purdy (Sep 08)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 09)