View
225
Download
0
Category
Preview:
Citation preview
8/3/2019 Honey Nets
1/22
1
Virtual Honeynet
Senior Project
By Daniel Engel
8/3/2019 Honey Nets
2/22
2
Abstract
The intent of this paper is to discuss my research for my senior project. I will cover what a
honeynet is, its advantages and disadvantages, and other areas of research significant to a honeynet.
Unfamiliar terms will be placed in footnotes along with other terms and ideas that need clarification.
The first part of this research paper will cover the background and basic information on honeynets whilethe second part will go into detail about honeynets and the successes and problems I had. Although a
honeypot is a single computer on a honeynet, the terms honeynet and honeypot are sometimes used
interchangeably in articles. I have done my best to differentiate the two terms in this paper.
8/3/2019 Honey Nets
3/22
3
Part I
Introduction to Project
One of my main interests in the field of information technology has become network security
and for that reason I have chosen to focus my senior research on a related topic. Honeynets I felt were a
great topic to study because they implement network security in many different ways. In the first part of
the paper honeynets will be covered to give a basic understand of what constitutes a honeynet.
Offensive Approach to Network Security
Computer network security has always taken on a defensive approach versus an offensive
approach when it comes to keeping out the bad guys. The basic idea has been to put up layers of
barriers and filters on a network to keep out unwanted streams of data. The problem with a defensive
approach is that the enemy always has the initiative. Imagine playing football and always being on the
defense, not much ground is usually won compared to being on the offense. Although, with a fairly new1
technology concept called a honeynet, businesses may take an offensive approach to securing their
networks and potentially locate and eliminate some network risks. Honeynets will be discussed in more
detail later on. Traditional network security methods only provide barriers with the hope that nothing
malicious2 will get through that can cause damage. They are created to be an offensive approach and
gather information on who the attacker is and what they are doing.
Traditional Network Security
The traditional network security methods that have been referred to are Intrusion Detection
Systems (IDS), firewalls, routers, IPTables, and sometimes the network topology3 can be a source of
security. This is clearly not an exhaustive list of security methods. All these methods typically filter
1Honeynets have been around since about 1999 2000.
2Intent to do harm, referring to malicious software or malware.
3The arrangementor mapping of the elements (links, nodes, etc.) of a network. (Wikipedia)
8/3/2019 Honey Nets
4/22
4
network traffic according to predetermined rules set for what type of network traffic can come through
and what cannot. Lets use IDS as an example. IDS systems are known to log gigabytes of information
about network activity that can be nearly impossible to sift through and analyze. They also monitor
system activity and can actually produce an audible alert when something out of the ordinary is
occurring on the network. Although this sounds like a great thing it can actually be an irritant to network
administrators and is usually not very effective. Sometimes these alarms are caused by what is called a
False Positive. A false positive is when an alarm indicates that an attack is in progress when there in
fact is really no such attack. (Whitman, 2005) These can be very frequent, so frequent in fact there are
actually books written about how to reduce IDS false alarms. Because of the frequency of alarms it can
cause desensitization to those that have to respond to these alarms, much like a car alarm going off and
not paying attention to it because it is normal. False positives are native to many traditional security
methods, not just IDS.
The intent is not to imply that these traditional methods are ineffective and useless. On the
contrary, they are very much needed to provide good network security. A properly configured IDS or
network topology can go a long way to aid a honeynet. Honeynets just go one step further by allowing
the identity of intruders to be revealed. Firewall and IDS and other traditional security technologies can
detect, alert, and notify you of security breaches. But without the in-depth data received from
honeynets, the who and why usually go unanswered without an in-depth forensics review" (Higgins,
2007).
What is a Honeynet?
A honeynet is a decoy network that has been created purposely to seem vulnerable to attacks in
order to lure in attackers and gather specific information about them. Like bees to honey. Consider
figure 1 on the next page. The computers labeled Honeypot are the individual computers that make
8/3/2019 Honey Nets
5/22
5
up the honeynet. While the actual network (computers labeled Production) is secure and protected,
the Honeynet is created to seem vulnerable and can sometimes appear to contain valuable data such as
credit card information. These networks are created to make the attacker think they are working with
valid network systems. While attackers are busy doing their malicious activity on the decoy network, the
honeywall gateway is busy collecting data on their every move. How this works is discussed in part two.
The following is a quote about the purpose of honeynets taken from an article written by a
group that heads The Honeynet Project4. The primary purpose of a honeynet is to gather information
on threats. This information has different value to different organizations. For example, academic
research institutions may use honeynets to gather data for research, such as worm activity. Security
organizations may use honeynets to capture and analyze malware for anti-virus, IDS signatures or learn
new ways to counter changing threats. Government organizations may use honeynets to learn more
4A team of 30 network security experts that analyze honeynet data and research how malicious hackers act.
Figure 1
8/3/2019 Honey Nets
6/22
6
about who is targeting them or why. (Project, 2006) Recently with the release of the Conficker virus, a
honeynet was used to contain the worm and study what it did to be able to defend against it. These are
just a few examples of the potential that honeynets have and what they can be used for.
Honeynet vs. Traditional Methods
Now that a honeynet has been explained, I would like to discuss what it can do for a network
that traditional security methods are incapable of doing. First, I would like to reinforce the idea that the
primary use of a honeynet is to gather information on an intruder. Because we want to gather useful
information on an intruder it is important they feel they are not being led into a trap. For this reason,
honeynets can be deployed in such a way to allow an intruder to interact with an actual computer. Being
able to use an actual computer with a real operating system5
(OS) and not just an emulated OS will
create a safe feeling environment for the intruder, allowing him/her to act normally. Emulated software
has the potential to tip off the intruder they are being monitored and can greatly limit what they can do
compared to a real OS.
Where is the value in making the intruder feel safe? The value is seen while they are attacking
the operating system. Special software installed along side of the operating system can record their
every move. For example, there are software programs called key loggers. These key loggers are
capable of recording every stroke of the keyboard the intruder makes. This makes it possible to know
what was being typed and the order in which items were typed to allow analysts the opportunity to
know a sequence of events.
Analyzing the results of data collected from intruders can give security analysts the opportunity
to know how security systems are being breached and therefore create greater security defenses to
prevent further attacks. This method gives up on the idea of sitting back and waiting for the next
5Examples of an OS are Windows XP or Vista, Mac OS X, Solaris and Linux.
8/3/2019 Honey Nets
7/22
7
onslaught of attacks on the network hoping the network is secure. It also provides invaluable
information on who is attacking these systems and why. Once again, the honeynet creates the offensive
approach due to the ability to advance current security techniques and gain an advantage over hackers.
Also, hackers realizing they have discovered a company or organization that uses a honeynet will be less
likely to attack again because they cant be sure which network systems are being monitored and which
are not.
Honeynets Reduce False Positives
As mentioned earlier, false positives can create problems and decrease response time to
possible network threats. A great challenge of most intrusion detection technologies is their frequency
of producing false positives. The larger the probability that a security technology produces a false
positive, the less likely the technology will be useful (Spitzner, 2004). Going back to the car alarm
example we can see what Spitzner meant by this. How often do we walk through a parking lot and hear
a car alarm? Most likely it has happened to us all several times. We typically just ignore the alarm and go
on without giving much thought to it. Security analysts typically run into this challenge which ultimately
creates lower reaction times to these alarms. However, by definition almost any activity with a honeynet
is unauthorized and therefore will greatly reduce the amount of false positives. This is a great example
why honeynets take a greater offensive approach to networking than traditional methods. It shows that
they have greater reliability and functionality.
Adaptability
I think the greatest thing about a honeynet is the adaptability of such a technology. No other
technology is so mobile, adaptive and potentially free from cost. These advantages are good no matter if
you are a large company carrying confidential information or just a small privately owned company. A
8/3/2019 Honey Nets
8/22
8
honeynet can be adapted based on individual needs. They can be created to appear to broadcast a
social security number entered into a database or appear to be a whole network of computers.
Another great advantage of this type of adaptability is the option of being able to create a
honeynet with a single computer or laptop. The use of special software called VMware (Virtual Machine
Software), or something similar, allows multiple operating systems to run on one computer which allows
the option of creating more traps to collect specific data. This type of honeynet is called a virtual
honeynet and can appear to be a whole network of computers. Also, because a laptop is easily moved, it
is possible to configure a customized honeynet and use it on company Xs network, then when your
objective is complete with company X, the laptop can be plugged into company Ys network and begin to
collect data. All it takes to switch is plugging the laptop into a new network. The ease of setup surpasses
all other security options and there is no other security feature in use today with such mobility and ease
of use.
Cost
Not only does the ease of adaptability appeal to many, so does the cost. High cost does not have
to be an issue when deciding to set up a honeynet. If a small company is interested in using a honeynet
but doesnt have a budget for it, an older single Pentium processor6
system would be able to handle a
basic honeynet set up. Meaning, an older less complex computer can be used. This is what gives
honeynets the ability to be used by so many different types of industries and budgets. If you are a large
company looking to create a significant size honeynet, the cost could still be reasonable. This is because
a whole network can be created on a single laptop to have multiple honeypots. Even a large honeynet
6Early computer chips created from 93 99 ranging from 60 to 300 MHz. Todays processors are in the 2 3 GHz range. About 10x faster.
8/3/2019 Honey Nets
9/22
9
can be created with a few laptops, and because there are many open-source7
operating systems, there
is no need to have to pay for multiple operating systems either.
7Code viewable to public for editing and enhancement, free software.
8/3/2019 Honey Nets
10/22
10
Part II
Hopefully at this point there is a good understanding of what a honeynet is and what it is meant
to do. The next several pages will go into more detail about the parts of a honeynet and the different
software that help the honeynet to function to accomplish its one purpose, understand the bad guys.
Types of Honeypots
There are three types of honeypots and/or honeynets, and each has its own strengths and
weaknesses. There is the high interaction, low interaction and virtual honeypot. Each one will be
explained in the following paragraphs.
Virtual Honeypot
A virtual honeynet uses virtualization software, such as VMware, to create a honeynet on a
single computer. There are two types of virtual honeynets that I will briefly describe. One type is a self-
contained honeynet and the other is called a hybrid honeynet. A self-contained honeynet is what I
attempted to create. This type of honeynet is all software, and virtual hardware contained on one
system, such as a laptop. Self-contained honeynets are portable because they can be created on a single
laptop and can be plugged into any network and up and running in a small amount of time. Also, they
can be very cheap, or completely free in my case, to set up and deploy. Another great advantage is the
ability that VMware has to immediately suspend a guest operating system. If, for example, an attacker is
managing to find their way out of the honeypot we want to stop him without losing our collected data.
Rather than losing that valuable data by shutting down the operating system quickly, the system can be
suspended which allows the system to pick up from the last process it was executing when it was
suspended. This will cut the attacker off and allow the collected data to remain safe.
Some disadvantages of my self-contained honeynet are potentially big enough disadvantages to
persuade many not to attempt this type of honeynet. The biggest disadvantage is system resources
8/3/2019 Honey Nets
11/22
11
available on a single laptop. To be able to run multiple operating systems, services, firewalls,
virtualization software and other software requires a powerful system. During my experience, I was
never able to run all five operating systems and my firewall at the same time without my computer
slowing to a crawl. Many times I would only run about 3-4 at a time. I would be okay running multiple
UNIX systems, but I could only run a single Windows system at a time. Another disadvantage is the
potential for a single point of failure, or in other words, since the entire honeynet uses the same
hardware and software, one failure anywhere in hardware or software could bring the entire honeynet
down.
Hybrid honeynets are the same as self-contained with one big difference. That difference is the
firewall is a separate system outside all the virtualization software. This can help them be more secure
since the firewall would not be affected by problems on the honeynet.
Low-Interaction Honeypot
Low interaction honeypots do just as they sound. They provide a low interaction environment
that hackers can interact with. These low interaction honeypots emulate real time services and
operating systems. Typically low interaction honeypots are just software installed on a computer that
can be easily configured through a GUI. One such example is Honeyd. Honeyd allows the user to select
what operating systems and services to emulate by simply clicking a button and the software does the
rest. One advantage of Honeyd is that it has the capability of emulating hundreds of services and
operating systems. It also allows easy configuration of IP addresses to monitor and will even emulate
the IP stack level. The major drawback of low interaction honeypots or Honeyd is that the program just
runs a script that expects specific input and gives a set output. Because the programs expects something
specific, it if receives a command it has not been programmed to recognize, it will send back an error
8/3/2019 Honey Nets
12/22
12
message which is a red flag to the hacker indicating something is not right and potentially reveal they
are in a honeypot environment.
High-Interaction Honeypot
This is the type of honeypot that I attempted to implement for my senior project. Much more
difficult than any research led me to believe. High interaction honeypots are very different than low
interaction honeypots because they provide entirely real operating system environments that hackers
can interact with. There is no software or hardware emulation. They only provide real software and
services for hackers to use at their will. This is important because it provides a greater ability to study a
hacker in a real environment, without limitations on commands and software and they are free to act
as they normally would. Due to the freedom to hack the system freely, it allows for much better data
capture in research honeynets to monitor intruder root kits, keystrokes, commands, passwords and
communications between other systems.
The great thing about a high-interaction honeypot is that because real services and software are
used, new, unexpected and unknown attacks can be captured. This type of freedom to hackers also
introduces a great risk to honeypots and networks that contain them. If proper security is not put into
place the attacker may have be able to break out of the honeypot and into the actual network.
There is a commercial version of a honeypot called Symantec Decoy Server. Although I could not
find it on Symantecs web site, the limited notes I found claimed that it does not emulate any OS or
services and that it only works with Solaris. It apparently uses real time software and services but
instead of having separate machines with this software, it creates four partitions called cages. These
cages are actually honeypots that allow hackers to interact with them just as they would any other
operating system.
8/3/2019 Honey Nets
13/22
13
Although there is not much information to be found on this commercial honeypot product, I
wanted to bring attention to it. It seems this product was on the market in 2003, and then disappeared
soon after that. This may indicate that at one point the idea of honeynets and honeypots as a network
security feature for corporations may have begun to take off, and then quickly died out. In my personal
opinion, I believe this has to do with the significant amount of overhead that can come from having a
highly monitored high interaction honeynet. Plus there is the risk of hackers being able to break into the
real network.
Honeywalls and Bridging
Honeywalls are used as data control elements and are the heart of the honeynet. All good
honeynets will include a honeywall because they provide multiple benefits that will be discussed. A
honeywall acts as a bridge which is a network gateway with three interfaces. They are as follows:
1.) eth0 connects to the internet2.) eth1 connects to the honeynet3.) eth2 allows for management monitoring and secure access to honeynetForwarding of ethernet frames to these interfaces is an OSI layer 2 function called bridging.
Bridge boxes are network devices with at least two interfaces used to connect two separate networks.
Such as LAN 1 and LAN 2. Thus the term bridge is used. The bridge forwards packets from LAN 1 to LAN
2. Because bridges work off of MAC addresses, the spanning tree protocol (STP) must be used on more
complex network topologies. On honeynets this protocol must be avoided at all costs because it can
reveal honeynets. The following is how bridging works and why it can conceal a honeywall and what
makes it an excellent idea for implementation into a honeynet.
8/3/2019 Honey Nets
14/22
14
Steps to Bridging:
1.) Processing starts at layer 1 in the OSI model. NIC card receives a bit stream, whenrecognized as a packet, it is moved to layer 2 to process.
2.) Layer 2. Bridge searches for the proper MAC address in bridging networks memory. If found,the packet is moved to appropriate interface for transmission. If MAC address is not found
then a broadcast is sent out to all interfaces except the one that originally sent packet.
3.) Layer 1. Sees the packet, recognizes the stream of bits and converts them to electricalsignals.
Bridging is transparent to IP processing (OSI layer 3 function). This is why honeywalls are
undetectable. This is because the IP header in the packet is not processed and passes through the
honeywall undetected. Every time a packet goes through an IP processing device the Time To Live (TTL) 8
field of the IP header is reduced by one which makes it possible to know the number of devices between
the source and destination. Absence of the IP stack and IP addresses of interfaces involved makes an
attack very difficult.
Data Control and Capture
Thetwo most important requirements with honeynets are data control and data capture. Most
data capture and data control are configured on the honeywall or firewall. This makes configuring both
data control and data capture easier. First and foremost, data control is simply how activity is contained
within a honeynet so that an attacker doesnt know. Data capture is watching or logging all the
attackers information without bringing attention to it. Data control is the more important of the two
because improper data control could allow a hacker to escape the honeynet and reach the host
8TTL Specifies how long the datagram is allowed to live on the network, in terms of router hops. Each router decrements the value of the TTL
field (reduces it by one) prior to transmitting it. If the TTL field drops to zero, the datagram is assumed to have taken too long a route and is
discarded.
8/3/2019 Honey Nets
15/22
15
operating system. This also incorporates the idea that we need to give the hacker as much apparent
freedom as possible without putting other systems as risk. Proper data control is done through filtering
traffic with the firewall and closing down unnecessary services and ports among other methods. Data
capture is where the fun happens. This is how it is possible to understand the tools, tactics and motives
of hackers. One major tool used for data capture on my network is the keystroke logging software called
Sebek. Sebek can log information about commands entered through SSH, which is a type of keystroke
logging software. Making it known what commands and passwords are being entered and the order in
which the commands were entered.
Honeywall Management
An additional interface on the honeywall for management purposes creates security between
malicious honeynet activity and management activity. An IP address is given to this interface to allow
remote access, monitoring, configuring and intervention if necessary. This also provides a huge benefit
because immediate recovery of any data logging is available, even if the hacker is still on the system. The
immediate recovery of data logging is how attackers can be watched.
HoneywallData Control
Data control as mentioned earlier is how activity is contained within a honeynet so that an
attacker doesnt know there activities are being contained within the honeynet and most importantly, to
prevent the attacker from being able to leave the honeypot and access the host operating system. To be
able to achieve these goals there are three data control methods that can be used while implementing a
honeynet.
8/3/2019 Honey Nets
16/22
16
1.) Connection Rate Limiting ModeThis method uses the firewall located on the network to limit the number of outgoing
connections from each honeypot. Because any honeynet activity is suspicious, large amounts of
outgoing traffic can be a red flag that a system has been compromised. So limiting the outbound traffic
can create security even within a honeypot. This is normally done by just limiting the number of
outbound connections per hour. Also with limiting outbound connections on a honeypot, it will reduce
the possibility of a compromised honeypot from being used for DoS9
attacks. Another effective method
would be to limit outbound connections according to protocols such as TCP, UDP, ICMP and many
others.
2.) Packet Drop ModeThree items in this section must be prefaced with a short definition to understand this section
better.
1. Snort-Inline is a modified version of Snort, which is a type of IDS, it has a built indatabase of known attacks.
2. Intrusion Prevention System (IPS) is a network security device that monitors networkand system activities for malicious or unwanted behavior and can react, in real time, to
block or prevent those activities. (Wikipedia)
3. IPTables are a powerful Linux firewall tool that enables users to create a set of rules forpacket selection and rejection.
9Denial of Service involves saturating the target (victim) machine with external communications requests, such that it cannot respond to
legitimate traffic, or responds so slowly as to be rendered effectively unavailable. (Wikipedia)
8/3/2019 Honey Nets
17/22
17
The Packet Drop Mode method is based on Snort-Inlines10
capability to detect and deal with
malicious packets that are leaving the honeynet and headed toward a victim. Snort-Inline will accept and
reject malicious packets based on a previously set group of rules configured through IPTables. Malicious
packets are dropped at the IPS (Intrusion Prevention System) that matches a pattern of known attacks.
Packet Drop Mode is only as effective as the quantity and quality of rules.
3.) Packet Replace ModeThis method also uses Snort-Inline but instead of dropping packets, it modifies them to not be
harmful and forwards them on to their original destination. This type of data control is stealthier and
hackers will only know that for some unknown reason, the attack failed. This may encourage the
hacker to use alternative methods to attack which could lead to an increased amount of knowledge
gained and more effective research.
HoneywallData Capture
Data capture is the heart of honeynets and can provide invaluable information for research and
deliver the who, what, when, where, how and whys of the attacker. Again, we come across three
important parts of data capture. Instead of being three distinct methods, we will have three layers, all
working harmoniously together to combine many pieces of information to give one overall picture of
what the attacker is doing. These three layers are firewall logging (IPTables), IDS logging (Snort), and
honeypot system logging (Sebek). As with data control, most data capture is implemented on the
honeywall.
1.) Firewall LoggingThere is the potential to use honeywalls as firewalls. Because a honeywall is your central point
for collecting data and controlling it, it would only make sense. It can log all connections to and from the
10A customized version of Snort. Inline refers to an embedded mechanism that intervenes on a packets transit path through the network
gateway. The logic is to detect any badness on the packet then use IPTables to stop it. (Corvovensis, 2006)
8/3/2019 Honey Nets
18/22
18
honeynet with the ability to alert with every connection made to the honeywall. As stated before, every
connection with a honeynet is considered malicious so false positives are greatly reduced. The great
thing with logging all the connections is the ability to go back and review what connections where made
to see if any trojans or backdoors were created.
2.) IDSIDS systems can be very useful for honeynets when implemented on a honeywall or honeypot
and can also have some negative side effects as mentioned earlier in part one. The logic behind IDS is
pretty simple to understand. The idea is to check all packets entering or exiting a monitored network
against a database of known attacks. When a known or suspected attack is found, it alerts the
administrator. Network traffic sniffing is required for proper IDS function to analyze and capture
packets. The disadvantage of this is the amount of false positives11 and false negatives12 that are
generated. This can make a proper diagnosis of the situation difficult. Although IDS tactics can be useful,
they are not necessary since any traffic to and from a honeypot is considered malicious. The most
popular IDS used in honeynets is Snort.
3.) Honeypot System LoggingThis is where the keystroke logging software, Sebek, comes into play because it is valuable
data capture software installed on a honeypot and a server. Capturing data allows for reconstruction of
an attack for further analysis and research. As mentioned before, capturing keystrokes and other types
of logs is what a honeypot is all about. Keystroke logging like Sebek is effective because it captures the
information at the kernel level where it is no longer encrypted. As the old saying goes, what goes up
must come down so information that is encrypted must at some point be decrypted to be of any use
(Corvovensis, 2006).
11A false positive is when an alarm i ndicates that an attack is in progress when there in fact is really no such attack (Whitman, 2005)
12A false negative is the opposite of a false positive. False negatives are any alert that should have happened but didn't.
8/3/2019 Honey Nets
19/22
19
Sebek is a keystroke logger created specifically for honeynets and was actually created by
the Honeynet Research Alliance. It is available for Solaris and Linux operating systems as well as
Windows which comes with limited capabilities. Sebek is made up of two parts: the Sebek client and the
server. The client is installed on a honeypot that needs to collect data, and the server is installed on the
honeywall. The client package captures keystroke data and covertly sends it to the Sebek server. It is not
noticeable since all data transfer is done at the kernel level. Once it reaches the honeywall it is safe and
ready to be accessed. Data can be accessed from the Sebek server by sniffing the honeywalls interface
or by using TCPDump13
. For an example see the image below. The intruder at the red computer uses an
SSH connection to access Honeypot A. The Sebek client software begins to send all activity about the
intruder, unnoticed, to the Sebek server software located on the Honeywall Gateway.
Because the data captured is so valuable, it is important to keep it in a safe place out of the
reach of the attackers. Keeping the data on a vulnerable honeypot has the potential to be erased by the
attacker which is why it is important to have the logs saved directly to a disc or sent to the honeywall for
safe storage.
13A common packet sniffer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being
transmitted or received over a network to which the computer is attached.
8/3/2019 Honey Nets
20/22
20
Conclusion
Honeynets have great potential for gathering information about attacks, hackers and just overall
network security. However after much searching and research, I have come to a personal conclusion
that a large corporation would most likely not implement and use a honeynet as a security feature. I
could not find any company that has ever used a honeynet. That is probably due to the fact that
companies dont normally advertise their network security plans to the world. Leaving that aside, there
are many risks, such as the risk for a hacker to break out of a honeynet and into the unprotected
network. Also, there can be a lot of overhead and cost involved with honeynets if multiple systems and
operating systems are involved. Non-virtual honeynets require lots of hardware, software and high-cost
expertise to manage and control daily. It seems more logical and cost effect for companies to stick with
their typical IDS, firewalls, traffic filtering and layers of security. Honeynets are great teaching tools for
security and research, but I feel that is where their effectiveness ends, at least until the technology
advances and better implementation practices are discovered.
8/3/2019 Honey Nets
21/22
21
Bibliography
Clark, M. (2007, November 7). Virtual Honeynets. Retrieved June 5, 2009, from SecurityFocus:
http://www.securityfocus.com/
Corvovensis, Y. (2006). Snort-Inline and IPTables. In T. H. Team, Know Your Enemy(p. 106). Addison
Wesely.
Higgins, K. (2007, April 23). Dark Reading. Retrieved June 3, 2009, from Sweetening the Honeypot:
http://www.darkreading.com/
Honeypot. (2009, June 9). Retrieved June 9, 2009, from Wikipedia:
http://en.wikipedia.org/wiki/Honeypot_(computing)
Intrusion Detection. (2007, May 26). Retrieved June 18, 2009, from Intrusion Detection, Honeypots, and
Incident Handling Resources: http://www.honeypots.net/
Project, T. H. (2006, May 31). Honeynets. Retrieved June 1, 2009, from The Honeynet Project:
http://old.honeynet.org/papers/honeynet/
Shinder, D. (2006, May 25). Virtual honynet: A Scalable Element of Your IDS Strategy. Retrieved June 5,
2009, from TechRepublic: http://articles.techrepublic.com.com
Spitzner, L. (2004). Honeypots. In T. H. Project, Know Your Enemy: Learning About Security Threats (pp.
19-20). New York: Addison Wesley.
Whitman, M. (2005). Principles of Information Security. Canada: Thomson Course Technology.
Wikipedia. (2009, July 13). Denial of Service. Retrieved July 17, 2009, from Wikipedia.com:
http://en.wikipedia.org/wiki/Denial_of_service
8/3/2019 Honey Nets
22/22
22
Notes
Recommended