Re: Usefulness of low-interaction honeypots.

[Kostas K <acezerocool () yahoo com>]

In-Reply-To: <Pine.LNX.4.44.0309072022340.18729-100000 () marge spitzner net>

I could not agreed more, but with sniffing or if you like with passive 
O/S fingerprinting is even possible to identify what's behind the scenes.
If i am correct the only way to deal with that problem from our internal 
network is and IDS or surveillance of the network from the administrator.
I know that a LIH will do the job when its probed or even attacked, but 
what happens when this is not happening and the attacker with a small 
reconnaisance finds out the real identity of that machine? I have not 
worked with Honeyd or KFSensor, if these two does the work then it's ok 
with me.

Regards

Kostas


 In addition LIH will not protect your network in the way you want. 

Absolutely.  However, I think you are barking up the wrong tree.
I think low interaction honeypots make a wonderful detection
technology for your internal networks.  Deployments (such as
Honeyd or KFSensor) can make honeypots very easy to deploy, and
very effective for detection.  Deploy it on your internal network,
and if anyone interacts with the honeypots, you know you have someone
(or something) on your internal networks that is most likely naughty.
Very simple, and very effective.  Yes, the bad guys can probe the
hell out of this simple solution and potentially determine its a
honeypot.  However, by the then the honeypot has already done its 
job, your burglar alarm has detected and warned you about the bad 
guys.

Keep in mind, honeypots are nothing more then a tool. That tool
has many different applications to many different individuals
and organizations.  Traditionally, people have focused on using
honeypots on external networks, or for decoy/deception.  Honeypots
can do sooooo much more.

lance