You are on page 1of 8

HONEYPOTS FOR NETWORK SECURITY

G.Jahnavi Swetha & Md.Salma Khathun


Department of CSE,DVR & Dr HS MIC College of Technology,Kanchikakacherla.

INTRODUCTION Global communication is getting more important every day. At the same time, computer crimes are increasing. Countermeasures are developed to detect or prevent attacks most of these measures are based on known facts, known attack patterns. As in the military, it is important to know, who your enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot. Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.

Definition:
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. A computer or network that is intentially left with common vulnerabilities that a hacker would use to hack the system. There are two reasons why people use honeypots. The first reason is for research to see what types of exploits hackers are currently trying to use. The second reason is for a system administrator of a network or computer to see how hackers are targetting his network, and therefore the system administrator knows what security measures need to be focused on in order to better protect the network or computer. The system administrator can also draw off potential hackers to their more important computers to a "supposed" easier computer, the Honeypot, to hack. Just as honey attracts bears, a honeypot is designed to attract hackers. Honeypots have no production value. They are set up specifically for the following purposes:

Providing advance warning of a real attack Tracking the activity and keystrokes of an attacker Increasing knowledge of how hackers attack systems Luring the attacker away from the real network

Types of honeypots:
Honeypots came in two flavors: Low-interaction:Low-interaction honeypots primarily are software that emulate different operating systems and services. These honeypots are easier to deploy and more secure, but capture less information. An example of a low interaction honeypot is Honeyd. High-interaction:High interaction honeypots don't emulate. Instead they are real computers, applications, and services. These honeypots are far more complex to deploy and have greater risk, but can capture far more information. An example of high interaction honeypot is Honeynets.

Low-interaction Solution emulates operating systems and services. Easy to install and deploy. Usually requires simply installing and configuring software on a computer. Minimal risk, as the emulated services control what attackers can and cannot do. Captures limited amounts of information, mainly transactional data and some limited interaction.

High-interaction No emulation, real operating systems and services are provided. Can capture far more information, including new tools, communications, or attacker keystrokes. Can be complex to install or deploy (commercial versions tend to be much simpler). Increased risk, as attackers are provided real operating systems to interact with

Two examples of honeypot placements:

HONEYPOT ARCHITECTURE: 1. Structure of a LOW-INTERACTION HONEYPOT (GEN-I):A typical low-interaction honeypot is also known as GEN-I honeypot. This is a simple system which is very effective against automated attacks or beginner level attacks. Honeyd is one such GEN-I honeypot which emulates services and their responses for typical network functions from a single machine, while at the same time making the intruder believe that there are numerous different operating systems .It also allows the simulation of virtual network topologies using a routing mechanism that mimics various network parameters such as delay, latency and ICMP error messages. The primary architecture consists of a routing mechanism, a personality engine, a packet dispatcher and the service simulators. The most important of these is the personality engine, which gives services a different avatar for every operating system that they emulate.

DRAWBACKS: 1. This architecture provides a restricted framework within which emulation is carried out. Due to the limited number of services and functionality that it emulates, it is very easy to fingerprint. 2. A flawed implementation (a behavior not shown by a real service) can also render itself to alerting the attacker. 3. It has constrained applications in research, since every service which is to be studied will have to be re-built for the honeypot. 2. Structure of a HIGH INTERACTION HONEYPOT (GEN-II):A typical high-interaction honeypot consists of the following elements: resource of interest, data control, data capture and external logs; these are also known as GEN-II honeypots and started development in 2002.They provide better data capture and control mechanisms. This makes them more complex to deploy and maintain in comparison to low-interaction honeypots. The concept of the honeypot is sometimes extended to a network of honeypots, known as a honeynet.

High interaction honeypots are very useful in their ability to identify vulnerable services and applications for a particular target operating system. Since the honeypots have full fledged operating systems, attackers attempt various attacks providing administrators with very detailed information on attackers and their methodologies. This is essential for researchers to identify new and unknown attack, by studying patterns generated by these honeypots.

Figure 1: The honeynet from the admin's point of view.

DRAWBACKS: However, GEN-II honeypots do have their drawbacks as well. 1. To simulate an entire network, with routers and gateways, would require an extensive computing infrastructure, since each virtual element would have to be installed in it entirely. In addition this setup is comprehensive: the attacker can know that the network he is on is not the real one. This is one primary drawback of GEN-II.

2. The number of honeypots in the network is limited. 3. The risk associated with GEN-II honeypots is higher because they can be used easily as launch pads for attacks.

Different Kinds of Honeypots Based on Deployment


Production Honeypots: Production honeypots are designed primarily for network security and defense. They have not been designed to collect information on hacking activities. For this reason, they are usually easily deployable and do not interact much. These are installed inside the production network and are usually used by corporations and companies to enhance network security. Research Honeypots: Research honeypots, as their name implies, are made specifically for collecting information about attackers and malicious software. They are usually managed by educational institutions or non-profit research organizations and are used to gain more insight on Internet "black hat" operations, strategies and motives. The ultimate purpose is to identify threats and find ways of dealing with them more effectively. These are difficult to manage and deploy but they are able to gather a lot of information. This is why they are used primarily by government organizations, the military and research organizations that have the resources to manage and deploy them.

ADVANTAGES OF HONEYPOTS: 1. They collect small amounts of information that have great value. This captured information provides an in-depth look at attacks that very few other technologies offer. 2. Honeypots are designed to capture any activity and can work in encrypted networks. 3. They can lure the intruders very easily. 4. Honeypots are relatively simple to create and maintain. DISADVANTAGES OF HONEYPOTS: 1. Honeypots add complexity to the network. Increased complexity may lead to increased exposure to exploitation. 2. There is also a level of risk to consider, since a honeypot may be comprised and used as a platform to attack another network. However this risk can be mitigated by controlling the level of interaction that attackers have with the honeypot.

3. It is an expensive resource for some corporations. Since building honeypots requires that you have at least a whole system dedicated to it and this may be expensive.

Value of Honeypots:
Honeypots can help prevent attacks in several ways. The first is against automated attacks, such as worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system (with worms self-replicating, copying themselves to the victim). One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. The second way honeypots can help protect an organization is through detection. Detection is critical, its purpose is to identify a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reasons then humans are involved in the process. By detecting an attacker, you can quickly react to them, stopping or mitigating the damage they do. The third and final way a honeypot can help protect an organization is in reponse. Once an organization has detected a failure, how do they respond? This can often be one of the greatest challenges an organization faces. There is often little information on who the attacker is, how they got in, or how much damage they have done.

FUTURE WORK: Honeypots are a new field in the sector of network security. Currently there is a lot of ongoing research and discussions all around the world. Several companies have already launched commercial products. A comparison of available products showed that there are some usable low- to high-involvement honeypots on the market. In the sector of research honeypots, self-made solutions have to be developed as only these solutions can provide a certain amount of freedom and flexibility which is needed to cover a wide range of possible attacks and attackers. Each research honeypot normally has its own goals or different emphasis on the subject. Developing a self-made solution needs a good technical understanding as well as a time intensive development phase.

Conclusion:
The purpose of this paper was to define the what honeypots are and their value to the security community. We identified two different types of honeypots, low-interaction and high-interaction honeypots. Interaction defines how much activity a honeypot allows an attacker. The value of these solutions is both for production or research purposes. Honeypots can be used for production purposes by preventing, detecting, or responding to attacks. Honeypots can also be used for research, gathering information on threats so we can better understand and defend against them.