Re: Usefulness of low-interaction honeypots.

[Kostas K <acezerocool () yahoo com>]

In-Reply-To: <BEEOJPBFHHPOAIGIPIADGEEPCFAA.john () cadamier com>

Time is money, i will never forget these words, but you build a honeypot 
from the moment you need it. You would never deploy an IDS if it was of 
no use. I agree that it takes more hours perhaps, than every thing in 
security measures, but as i mentioned a small company would never deploy 
a honeypot at least HIH because it is no use to them, maybe. Regarding 
the planning of a honeypot you place it in a strategic place or you 
filter the traffic with a router/firewall or you use an O/S that will act 
as a bridge. At least there are not many places to put a single honeypot. 
Then you have to consider things such as the placement of the IDS, and 
log server, but it is always a decision you have to make based on how 
secure your network can be an how succesful your honeypot can be.
Furthermore HIH they are not there to provide protection, it's a decoy. 
In addition LIH will not protect your network in the way you want. 
Although it may scare away intruders, however, a clever one will try 
passive O/S fingerprinting. In case he/she finds that the service or O/S 
is trying to attack is fake, then he/she may attempt to attack other 
systems. Let's say that a small company has behind a firewall only an 
HTTP server and decides to deploy a honeypot, this is a good solution 
because, bad requests can be sent at the honeypot and the good ones to 
HTTP. But again with fragmentation or any other means attacker may 
succeed. 
How can you block them, honeypot either low or high can't. Then you need 
an NIDS or HBIDS that will co-operate with the firewall and capable of 
adding new rules. LIH will not have this kind of luxury because it is 
supposed to be "dummy" and even HIH. But the most common thing here 
between LIH and HIH is that if the intruder realises that data are sent 
from the honeypot to other machines on the network you got 90% chances of 
being exposed!
Network Security does not offer tangible benefits, i would say mostly 
that offers benefits that are intangible. Apart from honeypots, say you 
got a firewall. This firewall took you 5 hours to configure, install etc. 
plus monitoring is needed. Till now nobody has attacked in a way that 
could jeopardize or reveal secrets of your company, this has happened for 
2 main reasons"
-the attackers made a small reconnaisance and found out that the firewall
is infeasible, almost.
-or they attacked the firewall but they managed nothing!
So, although in the second case you were attacked, firewall protected you.
I agree with you at the last paragraph.

Regards

Kostas



> From a pure expense perspective, setting up a honeypot is not a minor
expense - the time spent configuring the machine is what costs and what
employers look at.  Time is not free.  Machines often are, thanks to
upgrades.

But consider that it takes MANY hours to setup a fully patched Windows
system - unless you're setting up the newest version of something (which 
is
rare) it takes at least 3 hours to setup a Windows box and patch it = and
that's assuming you have a fast machine and an idle T1 to download windows
updates with.  Same goes with Red Hat and Debian disto's too.  Older PC's
are slower too.  Preparing it to be a honeypot afterwards takes planning 
and
baseline profiling as well, and then you've got to setup some kind of
monitoring.  That's the time investment and that's the expense.

Agreed that there is little protection provided by a high interaction
honeypot, but they do provide intel on what people are trying or doing.  
The
problem is that the benefits of this type of protection have less tangible
results than a low interaction device protecting the outside.

Also, a properly implemented a low interaction honeypot will not block
everyone that talks to it - just those who connect to it under certain
circumstances.  If someone scans me, my LIH will respond to service scans
with a syn-ack - it's when I get a syn-ack back that I consider them
possibly hostile.  Of course, baiting them on a little further is always
good too - letting them see a apache or winnt iis page is good, providing
them an FTP or telnet login is better - but if they try a directory
traversal or start doing anything more complex than getting the home page 
or
logging in, then I'll block them.

Your post subject was about the usefulness of LIH, and a compare/contrast 
of
what they do - I guess in this case it's somewhat clear - LIH is more 
suited
to proactive network defense while HIH are more suited to research and
learning techniques used in the wild.  Honeynets are useful to amplify the
results, good or bad.