Honey pots

Honey Pots

(Intrusion Detection System)

Presented By:-

Alok SinghCS 3rd Year0916510015

Professor:-

Swati Pandey

Historical aspect Evolution of Honey Pots Concept Of Honey P0ts Why we use Honey Pots. Definition of Honey Pots Types of Honey Pots Working of Honey Pots(using Snort) Level of Interaction Some of Honey Pots Tools Advantages Disvantages Todays Honey Pots Future Honey Pots Any Queries

Overview

1990/1991 The Cuckoo’s Egg and Evening with Berferd

1997 - Deception Toolkit1998 - CyberCop Sting1998 - NetFacade (and Snort)1998 - BackOfficer Friendly1999 - Formation of the Honeynet Project2001 - Worms captured2002 - dtspcd exploit capture

Historical aspect

Evolution of Honey Pots Firewalls

Early 90’sMust have – deployed before anything else

Intrusion Detection System (IDS)Mid to late 90’sWe can’t guard everything, so let’s watch the network for suspicious traffic

HoneypotsEarly 2000Not only do we want to know when the black hats are attacking, but also answer the question, Why?Let’s learn rather than just react

Concept of Honeypots

A security resource who’s value lies in being probed, attacked or compromised

Has no production value; anything going to from a honeypot is likely a probe, attack or compromise

Used for monitoring, detecting and analyzing attacks

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.(Sorce:-Tracking-Hackers Paper)

An additional layer of security Its is different security from Firewall. Firewall only work upon system security. This security work on the Network Layer.

Why we Use Honey Pots?

Honeypots• A server that is configured to 

detect an intruder by mirroring a real production system. 

• It appears as an ordinary server doing work, but all the data and transactions are phony. 

• Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system.

• Set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Types of Honeypots• Generally speaking there are two 

different types of Honeypots: Production Honeypots and Research Honeypots

• Production Honeypots are used primarily by companies or corporations to improve  their overall state of security.

• Research Honeypots are used primarily by non-profit research organizations or educational institutions to research the threats organizations face and learn how to better protect against those threats.

.

Working of Honey Pots(using Snort)

Snort Description Open Source Network Intrusion Prevention and Detection System. It uses a rule-based language combining signature, protocol and anomaly inspection methods.

the most widely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry.

Only Snort is working on Windows environment System.

Working of Snort(IDS)

IDSInvisible SNORT Monitor

Promiscuous mode

Two SNORT Sessions

Session 1 Signature Analysis Monitoring

Session 2 Packet Capture DATA CAPTURE

Capturing Of Packet on Network

Practical Snort Working• PLZ see the which included with it.

Level of Interaction• Level of Interaction determines amount of

functionality a honeypot provides.

• The greater the interaction, the more you can learn.

• The greater the interaction, the more complexity and risk.

• Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations

Low Interaction

• Provide Emulated Services• No operating system for attacker to

access.• Information limited to transactional

information and attackers activities with emulated services

• Some of low interaction tools are Honeyed ,spector.

High Interaction• Provide Actual Operating Systems• Learn extensive amounts of information.• Extensive risk.• Some of high level tools are Honeynets.• Honeynets is a kind of HoneyPot project which

are developing and testing stage.

Some of Honey Pots Tools• BackOfficer Friendly

– http://www.nfr.com/products/bof/ Low Interaction

• SPECTER– http://www.specter.com

• Honeyd– http://www.citi.umich.edu/u/provos/honeyd/

• ManTrap– http://www.recourse.com

• Honeynets– http://project.honeynet.org/papers/honeynet/ High Interaction

Advantages

● Fidelity – Information of high value• Encryption or IPv6• New tools and tactics• Simple concept• Not resource intensive• Return on Investment

Disadvantages

● Labor/skill intensive● Risk● Limited field of view● Does not protect vulnerable systems

Today's honeypots

• Military, government organizations, security companies applying the technologies

• Primarily to identify threats and learn more about them

• Commercial application increasing everyday

Future of Honey Pots

• Honeypots are now where firewalls were eight years ago

• Beginning of the “hype curve”5• Enhanced policy enforcement capabilities• Advance development in Open Source solutions• Integrated firewall/IDS/honeypot appliances

Any Queries

Resources:-Honeypots: Tracking Hackers

http://www.tracking-hackers.com

THANK YOUFor your attention