LINUX SECURITY --- January 09, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
__________________________________________________________________________
______
HIGHLIGHTS
* You can catch more attackers with honey than vinegar, so this week
Rick examines the pros and cons of using a honeypot
__________________________________________________________________________
______
The World of Honeypots
By Rick Johnson
After months of tedious work locking down your network, things are
finally under control. You might even relax and try to have a life
again. After a few minutes, relaxing gets old and your security
addiction pounds in your head like a cigarette craving to someone on
the patch. There must be something left.... Ah yes, a honeypot!
What is a Honeypot?
The SANS Institute's Intrusion Deception FAQ
(http://www.sans.org/newlook/resources/IDFAQ/honeypot.htm) is a great
source of information. It gives the following description:
"Honeypots are programs that simulate one or more network services
that you designate on your computer's ports. An attacker assumes
you're running vulnerable services that can be used to break into
the machine. A honeypot can be used to log access attempts to those
ports including the attacker's keystrokes. This could give you
advanced warning of a more concerted attack."
In simple terms, a honeypot is a box designed to appear unprotected
that tracks and analyzes the movements and attempts of an attacker.
Why do you need a Honeypot?
You do not really "need" one. However, with the right setup, the
information gained from this endeavor can be extremely valuable. This
information can unveil emerging hacking methods and even warn of future
trends. It also provides a glimpse into the mind and actions of an
attacker.
Should you build a Honeypot?
This is a tough question. If not done properly, then this server could
potentially be exploited -- the thing you had hoped to avoid. You must
be prepared to constantly monitor and review this server just in case
an unknown exploit is found. I cannot recommend that anyone but the
most educated security professionals attempt to build a honeypot. The
risks are simply too great.
If you do insist on playing with fire, please take the time to check
out the following:
* The Honeynet project (http://project.honeynet.org/) -- A group of
30 security professionals dedicated to learning the tools,
tactics, and motives of the blackhat community and sharing those
lessons learned, the honeynet project even gives examples of
scans witnessed.
* The Deception Toolkit (http://www.all.net/dtk/) -- DTK simply
listens for inputs and provides responses that seem normal (i.e.,
full of bugs). In the process, it logs what is being done,
provides sensible answers, and lulls the attacker into a false
sense of (your) insecurity.
For an in depth example of one man's honeypot, take a moment and read
the rootprompt.org article "Building a Honeypot"
(http://rootprompt.org/article.php3?article=210). It is a follow up to
the three part series "Know Your Enemy" by Lance Spitzner, also an
excellent read.
Honeypots are a great tool, but setting one up is like poking a
beehive. Be careful.
About the author(s)
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
__________________________________________________________________________
______
ADDITIONAL RESOURCES
Use a honey pot to catch hackers
http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,,1_1957.html
National security threatened by Net, studies say
http://www.itworld.com/jsw/linsec_nl/swol-01-2001/swol-0105-national.html
Honey pots and traps
http://www.linuxworld.com/jlw/linsec_nl/lw-1999-07/lw-07-ramparts-4.html
__________________________________________________________________________
______
<<attachment: winmail.dat>>