Re: Attack/Benign Packet Determination

[Floydman <floydman () iquebec com>]

Steven, as you'll read from my earlier response to the message you sent me, 
you seem to fail to see the difference between a honeypot and an IDS.  I'll 
make it shorter here, but a honeypot/net is just a set of regular machines, 
setup on a network of their own.  They are not a security device by themselves.

From the attacker's point of view, honeynets and production networks are 
just similar targets, they have (normally) no way to determine one from the 
other.  There is no device that "determines" which traffic is meant for the 
honeypot and the prod network; the attack is made either against the 
honeypot or the prod network.

If a "legitimate user" have a connection to a honeypot from a production 
network, then this is definetely a no-no, and the honeypot loses all value 
because it has been tainted by the "legitimate user"'s actions.

An IDS is just a security device that can be applied on networks, prod or 
honeynets alike.  NIDS mostly are based on signatures and rules, which will 
always allows for some window of opportunity for evasion techniques.  This 
is why the security game can be seen like a race between blackhats and 
whitehats.

Honeypots/nets can be deployed in a production network (the "Big Brother" 
watching would be limited to the honeynets environment), but their most 
value in this setup is as decoys for the attacker and alarm for the 
response team, but for this to work the attacker has to attack the honetpot 
first.

Hope this helps.

Floydman

At 04:19 PM 29/08/2003, Steven DeFord wrote:

> I'm new at this, so you'll have to excuse me, but in the handful of white
> papers I've read, and from reading traffic on this list, I've not seen any
> clear way that honeypot routers determine what traffic is bad (destined
> for the honeypot) and which isn't.  People on the list seem to assume that
> "All traffic on the honeynet is inherently an attack," but how does one
> know which traffic is bad and which isn't?  At least, how do you tell any
> better than an IDS?  For example, in a recent post, someone mentioned the
> fact that a blackhat who's compromised a honeynet host can't get any
> production information out of sniffing the network, but what if some
> user's authentication session were misdirected to the honeynet?  Then the
> blackhat could (essentially) passwordsniff legitimate users' logon
> information, and could then infect production machines more easily.  The
> only benefit of a honeynet, it seems, is improved logging, not due to more
> accurate packet detection, but simply more loggers.  Could not, in theory,
> one set up a honeynet in the production environment?  (Other than the
> previously-mentioned problem of privacy laws and the like.)
>
>
> Steven DeFord
> steve () singingtree com
> _____________________________________________________________________
> MSN Messenger, nouvelle version ! Personnalisez vos messages, jouez en
> ligne et communiquez en temps réel par vidéo! http://ifrance.com/_reloc/m