Honeypots mailing list archives
RE: Usefulness of low-interaction honeypots.
From: "John C. Silvia" <john () cadamier com>
Date: Mon, 8 Sep 2003 09:44:13 -0700
In addition LIH will not protect your network in the way you want.
Both you and Lance seem to agree to this statement, but it's not true. I use and deploy LIH honeypots that do supplement the firewall and do protect the outside of the network. The ForeScout ActiveScout product does exactly what I want in a LIH product - it sets up in 30 minutes (OS and software), it sets it's traps automatically, it identifies intruders by completing connections with them, it watches for baited data coming back on other ports, feeds false webpages to attackers, and it creates new false services on the fly (as new types of scans appear), automatically discovers existing working network services (so as not to step on them) and it intergrates with Check Point. There's not much else I'd want in a LIH outside my network - is there?? In terms of "tangible results" I'll take some heat there. Good security always shows no results other than not being hacked. I do consider this a mistaken reference to "auditable results" because that's what you get with the LIH I'm using. As for use internally, I will admit that I've not thought of a LIH internally as a "tinkering detector" before. Just got to make sure it doesn't interfere with normal network operations or interpose itself in the Active Directory domains and such, but I can see it's value - it may not detect if someone rooted/trojaned a particalur host, but it'll find the them when they start scanning around. I can see this finding the "leaky PC" quite nicely. As for what it all comes down to, tools is it. Having the right ones and knowing how to use them best is what this entire thread is about. -----Original Message----- From: Kostas K [mailto:acezerocool () yahoo com] Sent: Monday, September 08, 2003 4:58 AM To: honeypots () securityfocus com Subject: Re: Usefulness of low-interaction honeypots. In-Reply-To: <Pine.LNX.4.44.0309072022340.18729-100000 () marge spitzner net> I could not agreed more, but with sniffing or if you like with passive O/S fingerprinting is even possible to identify what's behind the scenes. If i am correct the only way to deal with that problem from our internal network is and IDS or surveillance of the network from the administrator. I know that a LIH will do the job when its probed or even attacked, but what happens when this is not happening and the attacker with a small reconnaisance finds out the real identity of that machine? I have not worked with Honeyd or KFSensor, if these two does the work then it's ok with me. Regards Kostas In addition LIH will not protect your network in the way you want. Absolutely. However, I think you are barking up the wrong tree. I think low interaction honeypots make a wonderful detection technology for your internal networks. Deployments (such as Honeyd or KFSensor) can make honeypots very easy to deploy, and very effective for detection. Deploy it on your internal network, and if anyone interacts with the honeypots, you know you have someone (or something) on your internal networks that is most likely naughty. Very simple, and very effective. Yes, the bad guys can probe the hell out of this simple solution and potentially determine its a honeypot. However, by the then the honeypot has already done its job, your burglar alarm has detected and warned you about the bad guys. Keep in mind, honeypots are nothing more then a tool. That tool has many different applications to many different individuals and organizations. Traditionally, people have focused on using honeypots on external networks, or for decoy/deception. Honeypots can do sooooo much more. lance
Current thread:
- Usefulness of low-interaction honeypots. Kostas K (Sep 05)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 05)
- <Possible follow-ups>
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 06)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 06)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 07)
- Re: Usefulness of low-interaction honeypots. Lance Spitzner (Sep 07)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- RE: [inbox] Re: Usefulness of low-interaction honeypots. Curt Purdy (Sep 08)
- RE: Usefulness of low-interaction honeypots. John C. Silvia (Sep 08)
- Re: Usefulness of low-interaction honeypots. raymond (Sep 08)
- Re: Usefulness of low-interaction honeypots. Kostas K (Sep 09)