RE: Usefulness of low-interaction honeypots.

["John C. Silvia" <john () cadamier com>]

> In addition LIH will not protect your network in the way you want.

Both you and Lance seem to agree to this statement, but it's not true.

I use and deploy LIH honeypots that do supplement the firewall and do
protect the outside of the network.  The ForeScout ActiveScout product does
exactly what I want in a LIH product - it sets up in 30 minutes (OS and
software), it sets it's traps automatically, it identifies intruders by
completing connections with them, it watches for baited data coming back on
other ports, feeds false webpages to attackers, and it creates new false
services on the fly (as new types of scans appear), automatically discovers
existing working network services (so as not to step on them) and it
intergrates with Check Point.  There's not much else I'd want in a LIH
outside my network - is there??

In terms of "tangible results" I'll take some heat there.  Good security
always shows no results other than not being hacked.  I do consider this a
mistaken reference to "auditable results" because that's what you get with
the LIH I'm using.

As for use internally, I will admit that I've not thought of a LIH
internally as a "tinkering detector" before.  Just got to make sure it
doesn't interfere with normal network operations or interpose itself in the
Active Directory domains and such, but I can see it's value - it may not
detect if someone rooted/trojaned a particalur host, but it'll find the them
when they start scanning around.  I can see this finding the "leaky PC"
quite nicely.

As for what it all comes down to, tools is it.  Having the right ones and
knowing how to use them best is what this entire thread is about.

-----Original Message-----
From: Kostas K [mailto:acezerocool () yahoo com]
Sent: Monday, September 08, 2003 4:58 AM
To: honeypots () securityfocus com
Subject: Re: Usefulness of low-interaction honeypots.


In-Reply-To: <Pine.LNX.4.44.0309072022340.18729-100000 () marge spitzner net>

I could not agreed more, but with sniffing or if you like with passive
O/S fingerprinting is even possible to identify what's behind the scenes.
If i am correct the only way to deal with that problem from our internal
network is and IDS or surveillance of the network from the administrator.
I know that a LIH will do the job when its probed or even attacked, but
what happens when this is not happening and the attacker with a small
reconnaisance finds out the real identity of that machine? I have not
worked with Honeyd or KFSensor, if these two does the work then it's ok
with me.

Regards

Kostas


 In addition LIH will not protect your network in the way you want.

Absolutely.  However, I think you are barking up the wrong tree.
I think low interaction honeypots make a wonderful detection
technology for your internal networks.  Deployments (such as
Honeyd or KFSensor) can make honeypots very easy to deploy, and
very effective for detection.  Deploy it on your internal network,
and if anyone interacts with the honeypots, you know you have someone
(or something) on your internal networks that is most likely naughty.
Very simple, and very effective.  Yes, the bad guys can probe the
hell out of this simple solution and potentially determine its a
honeypot.  However, by the then the honeypot has already done its
job, your burglar alarm has detected and warned you about the bad
guys.

Keep in mind, honeypots are nothing more then a tool. That tool
has many different applications to many different individuals
and organizations.  Traditionally, people have focused on using
honeypots on external networks, or for decoy/deception.  Honeypots
can do sooooo much more.

lance