An Intelligent Non Production System

Published Date: 02 Nov 2017

ABSTRACT

A honey pot is a non-production system, design to interact with cyber-attackers to collect intelligence on attack techniques and behaviours. There has been great amount of work done in the field of network intrusion detection over the past three decades. With networks getting faster and with the increasing dependence on the Internet both at the personal and commercial level, intrusion detection becomes a challenging process.

The challenge here is not only to be able to actively monitor large numbers of systems, but also to be able to react quickly to different events. Before deploying a honey pot it is advisable to have a clear idea of what the honey pot should and should not do.

There should be clear understanding of the operating systems to be used and services (like a web server, ftp server etc) a honey pot will run. The risks involved should be taken into consideration and methods to tackle or reduce these risks should be understood.

INTRODUCTION

MIND MAP:

The Fig.1. represents a mind map which gives the overview of the paper. The branches refer

the main categories and the sub branches represent the categories in the main branch.

C:\Users\niri-deepu\Desktop\Capture.PNG

Fig.1: Mind Map for Honeypots

An intruder can be defined as somebody attempting to break into an existing computer. This identity is popularly termed as a hacker, black hat or cracker. The number of computers connected to a network and the Internet is increasing with every day.

The challenge here is not only to be able to actively monitor all the systems but also to be able to react quickly to different events. Traditionally intrusion detection involved a defensive approach where systems were either dedicated computers like firewalls or host based detection systems aimed at detecting attacks or preventing them.

These systems existed as a part of the commercial/in-use networks and used techniques like pattern matching or anomaly detection. Another type of security systems are system integrity checkers, which are, typically host based.

BACKGROUND

A honey pot is a program, machine, or system put on a network as bait for attackers. Honey pots are typically virtual machines that emulate real machines by feigning running services and open ports, services which one might find on a typical machine on a network.

Research Honeypots

As the name suggests these honey pots are deployed and used by researchers or curious individuals. These are used to gain knowledge about the methods used by the black hat community. They help security researchers learn more about attack methods and help in designing better security tools. They can also help us detect new attack methods or bugs in existing protocols or software.

Production Honeypots

These honey pots are deployed by organizations as a part of their security infrastructure. These add value to the security measures of an organization. These honey pots can be used to refine an organization’s security policies and validate its intrusion detection systems. Production honey pots can provide warnings ahead of an actual attack. For example, lots of HTTP scans detected by honey pot is an indicator that a new http exploit might be in the wild.

Security Issues

Honey pots don’t provide security (they are not a securing tool) for an organization but if implemented and used correctly they enhance existing security policies and techniques. Honey pots can be said to generate a certain degree of security risk and it is the administrator’s responsibility to deal with it. The level of security risk depends on their implementation and deployment. There are two views of how honey pot systems should handle its security risks.

Legal Issues

To start with, a honey pot should be seen as an instrument of learning. Though there is a viewpoint that honey pots can be used to "trap" hackers. The legal definition of entrapment is "Entrapment is the conception and planning of an offense by an officer, and his procurement of its commission by one who would not have perpetrated it except for the trickery, persuasion, or fraud of the officers." This legal definition applies only to law-enforcement, so organizations or educational institutions cannot be charged with entrapment.

The Linux Honeypot

This honey pot runs Red Hat (www.redhat.com) with basic configuration plus the services that were desired to be monitored. The idea here was to make the system look like a regular system that has a few servers running but nothing that is being used extensively. Honey pots can also be configured to fake activity in the form of logins, emails etc to make them appear as if they are being used daily.

The Windows Honeypot

Windows professional was selected as the operating environment on the Windows honey pot. As with the Linux honey pot the Windows honey pot was made to look like it had been installed and left alone. The latest patches from Microsoft were installed and the following configurations performed.

Attracting Hackers

A question on "attracting hackers" posted on a honeypot mailing list at securityfocus.com received many interesting replies. Many people seem to think that there is no need to attract hackers and that putting a system on the Internet is sufficient. Also attracting might not be a good idea as it might result in a security threat to other computers in the network.

PROPOSED TECHNIQUES

Important computers such as servers are usually protected, patched and updated and maintained better than computers such as test servers, workstations in school labs, desktops used by organizational staff etc. These ubiquitous computers are the ones that administrators find it difficult to secure. In fact computers which are not regularly monitored are the first ones to be compromised.

The following services are simulated-

HTTP – Fake web server versions, web-pages and error messages.

FTP – Fake ftp sessions, logins and error messages.

POP3 - Simple pop3 commands and messages.

Logging Mechanism

The clients should be capable of both text based logging and logging to a database. The text based logging helps in deployment of clients with minimum dependences and requirements. Database logging helps in better storage, adds flexibility in terms of logging, and also allows expendability in terms of further processing of the logs.

Alerting Mechanism

Alerting methods can be email alerts, local system alarms. The frequency of emails and their content can be configured.

Tracing the Attack Source

Another valuable feature is to detect the source of the attack. There are several passive and active methods that can be used to trace an attacker back to the source. Among the active scanning tools nmap, is probably the most popular and feely available was the tool of choice.

Configuration of the Package

The intrusion detection mechanism itself should be configurable on a per client basis. The configuration can also be loaded using configuration files.

Fig: Working of the honey net

Working

The idea behind the entire package was to put together a set of tools that collectively work as an intrusion detection system and also as an early warning system. Some of the services or servers simulated as a part of this thesis were-

Apache web server

IIS web server

Three different kinds of FTP severs

A simple telnet server

A simple SSH (Secure shell ) server

A POP3 server

Building the honey pot

Rules

Logically place the Honey Pot in between the production servers

You can’t set up a good Honey Pot unless you know how

Keep good system logs – arich source of data!

Integrating the honey pot

Goal

Catch intruders who do a network scan

Another way: Port Redirection of non-productive ports (E.g Telnet port of a web server) production systems to the Honey Pot.

Motives of the Black Hats:

You can get a look into black-hat mentality

Indiscriminately attack and damage systems

Randomly probe large number of systems

Developing the secured application

In the ethical technique we discussed about how to assess web application by using an automated tool and how to avoid vulnerabilities manually.

Reliability ---- create "Hacker Resistant" application in the development.

Assurance ---- Test the quality.

Validation ---- Audit to enforce the security.

Confidence ---- maintain confidence.

CONCEPTS

Low-Involvement Honeypot

A low-level involvement honeypot typically only provides certain fake services. In such a way, all incoming traffic can easily be recognized and stored.

With such a simple solution it is not possible to catch communication of complex protocols. On a low-level honeypot there is no real operating system that attacker can operate on

Mid-Involvement Honeypot

A mid-involvement honeypot provides more to interact with but still does not provide a real underlying operating system. The fake daemons are more sophisticated and have deeper knowledge about the specific services they provide. At the same moment, the risk increases. The probability that attacker can find a security hole or vulnerability is getting bigger because the complexity of honeypot is increasing.

High-involvement honeypot

A high-involvement honeypot has a real underlaying operating system. This leads to much higher risk as the complexity increases rapidly. At the same time, the possibilities to gather the information, the possible attacks as well as the attractiveness increase a lot.A high-involvement honeypot is very time consuming. A honeypot which is not under control is not of much help even become a danger or security hole itself.

Table: Overview of advantages and disadvantages of each level of involvement

Honeypot Location

A honeypot does not need a certain surrounding environment, as it is a standard server with no special needs.A honeypot can be placed anywhere a server could be placed.

A honeypot can be used on the Internet as well as the intranet, based on the needed service. Placing a honeypot on the intranet can be useful if the detection of some bad guys inside a private network is wished. If the main concern is the Internet, a honeypot can be placed at two locations:

1. In front of firewalls (Internet)

2. DMZ

3. Behind the firewall (Intranet)

Fig: shows the location of honey pots

DMZ

We have from the figure that the demilitarized zone consists of a combination of web server and honeypot which is located between two firewalls.

figure10.gif

Fig: shows the Demilitarized Zone(DMZ)

The above diagram shows that a shopper’s machine tries to buy goods in online and this DMZ shows how the shoper’s machine account information is protected from the intruder or hacker and how the honeypots boots up the exisiting security mechanism.

Advantages and Disadvantages of Honeypots

Advantages of Honeypots

Honeypots are a tremendously simply concept, which gives them some very powerful strengths.

Small data sets of high value

Honeypots collect small amounts of information. Remember, honeypots only capture bad activity; any interaction with a honeypot is most likely unauthorized or malicious activity.

Minimal resources

Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network.

Encryption or IPv6

Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it.

Information

Honeypots can collect in-depth information that few, if any other technologies can match.

Simplicty

Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update.

Disadvantages of Honeypots

Like any technology, honeypots also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies.

Limited view

Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also.

Risk

All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. These risk various for different honeypots. Depending on the type of honeypot, it can have no more risk then an IDS sensor, while some honeypots have a great deal of risk.

RESULT

The honey pots have never been compromised so we are yet to see a complete intrusion but nevertheless the honey pots recorded enough data to show that computers today are not safe from attackers.

Having the honey pot sit on a commercial ISP network would invite more hack attempts. Nevertheless it really doesn’t matter where your computers live, they are bound to be probed, scanned and attacked.

Still the security must be pushed more by honeypots and hackers should know that they will be caught easily because of this honeypots.

CONCLUSION

In this work, we explored the concept of honey pots in depth and saw how it might be useful to the field of network security. The concept of honey pots is an important addition to the security field. Honey pots offer an offensive approach to intrusion detection and prevention.

Most importantly, they serve as a learning tool for system administrators and also involved studying issues concerning intrusion detection systems the challenges that these systems faced. The Internet has become indispensable both at the organizational and personal level and so it will be the case with security systems.

The use of honey pots and related technologies is on the rise. As awareness and interest in honey pots increases so will its use in an organization as a security tool. There is scope for development of honey pot tools which facilitate the different aspects of honey pots like logging, tracing back to the source etc.

System modules for sophisticated keystroke logging, better filtering tools and utilities to capture encrypted traffic are a few things that could be worked on. One can even consider an out-of-the-box honey pot distribution with a modified kernel to make it easy for system administrators to deploy honey pots.