Obvious is the most dangerous word in mathematics. ~Eric Temple Bell

Honey Pots - Security through DeceptionVarun jain (3rd yr ECE)

What is a Honey Pot?

Honey Pots are fake computer systems, setup as a "decoy", that are used to collect data on intruders.This "decoy" appears to contain operating system vulnerabilities that make it an attractive target for hackers. A Honey Pot, loaded with fake information, appears to the hacker to be a legitimate machine.
While it appears vulnerable to attack, it actually prevents access to valuable data, administrative controls and other computers. Deception defenses can add an unrecognizable layer of protection.
As long as the hacker is not scared away, system administrators can now collect data on the identity, access, and compromise methods used by the intruder. The Honey Pot must mimic real systems or the intruder will quickly discover the 'decoy'. Honey Pots are set up to monitor the intruder without risk to production systems or data. If the Honey Pot works as intended, how the intruder probes and exploits the system can now be assessed without detection.
The concept of a Honey Pot is to learn from the intruder's actions. This knowledge can now be used to prevent attacks on the "real", or production systems, as well as diverting the resources of the attacker to a the 'decoy' system.

ADVANTAGE of Honey Pots:

  • Deter Attacks - Fewer intruders will inv ade a network that know is
  • designed to monitor and capture their actiity in detail.
  • Divert Attackers Efforts - A intruder will spend energy on a system that causes no harm to production servers.
  • Educate - The properly designed and configured Honey Pot provides data on the methods used to attack systems.
  • Detect Insider Attacks - Since most IDS systems have difficulty detecting insider attacks, Honey Pots can provide valuable information on the patterns used by insiders.
  • Create Confusion for Attackers - The bogus data Honey Pots provide to attackers,can confuse and confound.

 

Integrating and Installing Honey Pots
The better the integration of Honey Pot into your system, the more effective it will be. This must be balanced by the ability to maintain control of the installation. We don’t want a compromised system to become a platform from which to launch attacks on our system or others. Experts suggest placing the Honey Pot machine on its own network and behind a firewall or router.

The advantages include:

  • The first goal is to track the intruder’s moves by gathering forensic information. Secure firewall and router logs can provide detailed information
  • on the probes and ports of interest to the intruder.
  • Many firewalls and routers have the ability to alert the operator whenever someone connects to the Hone y Pot.
  • Firewall and router rules can be established to protect the real network should the Honey Pot become compromised.

Start by giving the Honey Pot an attractive name. Systems named mail, name server, finance, archive or human resource s (hr), make enticing targets for intruders. We want to integrate the Honey Pot into our actual system without placing production servers at risk.
The Honey Pot should not be normally be accessed by anyone, since it provides no legitimate services.Any connections to the Honey Pot should alert the operator. Logging showing data flowing out of the Honey Pot machine can also indicate it has been compromised.
How do we track the intruder without them knowing it? The establishment of multiple logging, or layers, provide the best solution. Logging needs to be as ‘stealthy’ as possible. We do not want to depend on a single layer of logging, since this could be altered or erased. Different logging views will also provide better understanding of exactly what the intruder was attempting. Most important to remember is that logs can only be trusted if their integrity can be guaranteed.
Establishment of logging on the Honey Pot itself creates a risk that the intruder will learn our logging scheme through the system configuration files. These logs and configurations could also be altered or erased if the machine is compromised. The best logging method is to create logs on a system the intruder cannot access, a s well as the Honey Pot itself. A firewall or router can provide this capability.

Since logs created on the Honey Pot itself are at risk, logging should also be sent to a dedicated server using a cryptographicprotocol, to mask the actual logging methods used.
The logging server should be highly secured with all services turned off, and port 514 UDP blocked to prevent un-authorized logging of information from the Internet. A free open source encrypted solution is the program ‘ssyslog’ from Core-SDI o r ‘syslog-ng’ from BalaBit software. Alternate logging methods for NT include ‘slogger’ and ‘EventReporter’. A strong commercial product is the ‘Secure Log Repository’ product from NFR Security. Whenever possible, bogus logging configuration files should also be established on the local Honey Pot. This will help insure we capture valid information on how the system was attacked or compromised, and reduce the possibility of the intruder becoming aware of our decoy.
Another layer of logging includes using a network sniffer on the Honey Pot wire to capture all data in or out of the machine. This allows capturing the keystrokes of the intruder. The sniffer can also perform screen captures to see exactly what the intruder sees. Several different sniffers and/or IDS monitors can be used. They include Real Secure, NFR, Dragon and Snort.
To help determine if the system has been compromised, capture an image of the original system program binaries using a tool such as Tripwire and save this data remotely. Freeware tools similar to Tripwire can quickly create a database, which includes MD5 checksums, of system files for many system platforms. Use these tools to create a baseline of the system. Remember that ‘bad’ things can happen on a compromised system by a knowledgeable intruder who becomes aware he/she is on a Honey Pot. Be ready to pull-the-plug, especially after all has been learned within reason. The goal is to learn how intruders’ compromise a system, not to let the intruder use the Honey Pot as his/her tool and cause further damage.