Honeypots mailing list archives
Re: Honeypots: Uses and Features
From: Geoffrey Shorter <geoffreyshorter () hotmail com>
Date: 3 Jun 2003 13:43:12 -0000
In-Reply-To: <Pine.LNX.4.44.0306021703490.20272-100000 () marge spitzner net> Responding to Lance's call for what's important in honeypots, I hope the below is not too long... Most important: 1. Detection is by far most important for us. We are mostly concerned about attacks from inside our own organization, which numbers about 3,500 users on our LAN and 45,000 users over our WAN. This includes, in particular, IT Departments in remote physical locations that we have no contact with. We have Event Log monitors and (we think) reasonable security in place. But if someone with my abilities in a remote IT department gets disgruntled, that is what concerns me most. (We would like to install a firewall between our LAN and the WAN, but we are not allowed to do so yet.) We want to detect unauthorized scans, probing, etc. We are setting up honeypots that we know correspond to the names of important servers around our organization. i.e., all our locations use the same major pieces of software. So, if we have a server named ARD_SQL that is a critical server for our the ARD application in our Accounts Receivable Department, it is likely that remote locations have the same or similarly named servers in their areas. This means we can guess what some of our most likely targets are. We're in the process of renaming these servers, and putting honeypots on our network named ARD_SQL and the like. In a way, this is almost like entrapment, but, then again, we're not the government... ;) Within our local environment, the end-users do not necessarily know the name of the server they're connecting to. In many cases, the application knows how to connect, and the user doesn't. So, we can change the names of the servers, pointing the client-side application to the new server name, without even alerting the end-users that the name has changed. As long as our IT Department can keep this a secret, then we also essentially set up a trap for local disgruntled end-users who guess obvious server names. We are also preparing to set up honeypot Terminal Server emulators. We have 10 TS's in place now, numbered sequentially: BigServer01, BigServer02, etc. In the next few months, we plan to roll out 40 more TSs. We plan to put one honeypot sequentially in place for each 10 TSs. BigServer04, for example, is targeted to be replaced with a honeypot, broadcasting on the TS port, looking to trap people who might want to password-grind. A lot of end-users and IT personnel know the names of these TSs, so we feel 1 honeypot per 10 TSs is not overkill, since TSs tend to stick out with big red flags on em. Second-most important feature of honeypots for us: 2. Proof of danger. Many people in our organization believe we are safe because of the firewall, anti-virus, etc. In particular, we are wanting to prove that internal threats exist. We have already seen a local machine attempting to log on to what was a sensitive financial server (before being turned into a honeypot by the same name!). And we have seen multiple clients attempting to access servers they are not authorized to access, based on the name (ARD_SQL, for example). So far, all the unauthorized access attempts have come from within our own LAN. We're still waiting for attempts across the WAN. Once we get some attempts from the WAN, then we'll make another run at the "people in charge" for allowing a firewall between our LAN and the WAN. Third most important feature: 3. Ease of use. We must have something that takes little time to administer on a daily basis. Limited number of administrators, large number of security issues to cover. We're in a production environment, so research honeypots are way beyond our abilities to manage at work, altho I will probably end up deploying one at home in my spare time ... :) This is really interesting stuff. Great book by the way, thanks! Geof
From: Lance Spitzner <lance () honeynet org> To: honeypots () securityfocus com Subject: Honeypots: Uses and Features One of the things that defining honeypots demonstrated for us was that honeypots come in MANY shapes and sizes, they can accomplish many different goals. This got me wondering, what are individuals and organizations using honeypots for, what features or capabilities do you consider the most important? If you have a moment, post what capabilities you feel are the most important, and why. My intent here is not only can we share ideas, but this discussion can potentially help the development of honeypots in general. Thoughts? -- Lance Spitzner http://www.tracking-hackers.com
Current thread:
- Honeypots: Uses and Features Lance Spitzner (Jun 02)
- Re: Honeypots: Uses and Features adam (Jun 02)
- RE: Honeypots: Uses and Features Andy Cuff [talisker] (Jun 03)
- Re: Honeypots: Uses and Features Lee Brotherston (Jun 03)
- Re: Honeypots: Uses and Features Cedric Foll (Jun 03)
- Re: Honeypots: Uses and Features Lee Brotherston (Jun 03)
- <Possible follow-ups>
- Re: Honeypots: Uses and Features Geoffrey Shorter (Jun 03)
- RE: Honeypots: Uses and Features Gonzalez, Albert (Jun 03)
- Re: Honeypots: Uses and Features Larissa Fricker (Jun 03)
- RE: Honeypots: Uses and Features Gonzalez, Albert (Jun 03)
- FW: Honeypots: Uses and Features Luc Somers (Jun 03)