Software Engineering 4C03
Computer Networks and Security
NETWORK DECEPTION SYSTEMS:
HONEYPOTS
by Ryan Mohammed # 9616106
21st
March 2001
Introduction
When talking about network security one usually thinks about routers, firewalls and Intrusion Detection Systems (IDS's). One other layer of defense can be achieved through the use of Honeypots; its primary use is to gain direct, observable knowledge of how intruders operate. Honeypots are programs that simulate one or more network services that are running on designated computer ports so as to look like something an intruder can attack. To better understand what honeypots are, let me first explain what "intruders" really are: An intruder is an individual who is using (or attempting to use) a computer system without authorization. This individual may be called a "Script Kiddie" or a "Black Hat" respective to increasing skill level. Essentially, a honeypot works as a decoy i.e. it lures them away from vulnerable parts of a network to something that cannot be harmed. This paper will first discuss reasons why systems such as honeypots are necessary and what are the ethical and legal issues surrounding its use. I shall then explain how a honeypot can be setup on a network and mention some implementation issues. Next I shall focus on some of the advantages and disadvantages of using honeypots. Following this I shall then show some real life examples of how honeypots have been used and what were the results. Finally I shall present information on some commercial honeypots.
Why are
Honeypots Necessary?
Why are honeypots necessary given
other technologies of securing a system? This question has one obvious answer,
honeypots give the ability to learn how a system can be compromised and by whom
while protecting it. To show its importance, a honeypot can be compared to the
infamous firewall, which is widely used by many network administrators as a
form of security. A firewall is a device that shuts off everything and then
turns back on only a few well-chosen items. The reason we have firewalls is
because various servers leave security holes open accidentally on many ports.
Put simply, a firewall is a fence around a network, with a couple of
well-chosen gates. This fence has no capability of detecting somebody trying to
break in (such as digging a hole underneath it), nor does a fence know if
somebody coming through the gate is allowed in. Hence, intruders are still able
to get pass the firewall if the attack is targeted at an access point that the
firewall legitimately allows. Also, the firewall only protects from outsiders
of the network, however, 80% of financial losses due to attacks are from the
inside of the network in question. The firewall can hence be described as a
static defense mechanism and in comparison a honeypot is dynamic. The honeypot
defends against attacks that the firewall is unable to see. Ideally the
honeypot is used with a firewall. It is easy to build a conservative firewall
that cannot be hacked, however, engineers are not allowed to be sufficiently
paranoid; corporations always want to expand Internet services. This forces
network administrators to relax on the firewall barriers.
Honeypots are designed to be broken
into for two primary reasons. One of these is to find information about
vulnerable areas of a system and those that are most likely to be attacked.
Essentially, by doing this one can learn how a system can be compromised by
observing attack methodologies. The second main goal of honeypots is to gather
forensic information required to aid in the apprehension or prosecution of
intruders. Honeypots purposely leaves a "hole" in the system that is
so obvious to walk through that other areas of the system look relatively much
more secure. In essence, the honeypot then protects the other areas of the
system or network by diverting attention to it.
Honeypots are always subject to
scrutiny by its use because of the controversy of it being labeled as a form of
entrapment. Honeypots are in fact not a form of entrapment because it lets the
system afford an attack and does not encourage being attacked. Legally you can
be liable if a honeypot is compromised and used as a launching pad for other
unauthorized intrusions. If the honeypot is however virtual enough and really only
simulates, then launching attacks from a honeypot would be harmless.
All traffic to a honeypot is deemed
suspicious because it is designed so that it still has to be accessed using a
near obvious "hole". Honeypots are generally based on a real server
and operating system and with data that gives the impression of being real. The
difference from real servers is its location, it is located in the DMZ
(De-Militarized Zone: outside firewall but still accessible by internal computers)
of a network. This ensures that the internal network is not exposed to the
intruder. It should be placed close to the production servers in order to tempt
intruders that are targeting them. The use of port redirection on an upstream
router or firewall will give the impression that services are on the production
server. This router will have to be capable of redirection and also have the
ability to transparently handle the address translation of the honeypot so as
to conceal its true IP. A good example of such use is an attempt to run a web
server or telnet on a production server that normally does not accept such
requests. Such connection requests could be then redirected to the honeypot,
which will simulate response for the request. It should be noted that there are
limitations on the service emulation of a honeypot. The network will have to be
probed so as to determine vulnerabilities so that services can then be
accurately emulated. The honeypot’s address is ideally in between the
production servers (example if .2, .3, .5 are production servers then ideally
the honeypot is .4). This takes advantage of intruders that do a "sweep
scan" on the entire network looking for vulnerable services.
The honeypot works by monitoring or
controlling the intruder. The honeypot audits the activity of the intruder by
saving log files, started processes, compiles, file changes, and recording
keystrokes. The valuable log files generated by the honeypot should be stored
elsewhere rather than on itself because the intruder will eventually have the
ability to change the data contained therein. The ability to alert
administrators that the honeypot has been compromised is also essential; this
is required because of the possibility that a real production server can then
be attacked using the honeypot! Oneway to protect production servers and alert
admin incase of a compromise is to have to honeypot on its own subnet and
behind a firewall. Any activity in that subnet segment will then trip any
alarms. If there were multiple computers on the same subnet it would be hard to
distinguish between good and bad traffic. By the use of a “sniffer”, all
incoming and outgoing traffic can be closely monitored. In summary, by using
these techniques you can: be protected in case of honeypot compromise, have the
ability to log and view all incoming and outgoing traffic and also have the
ability to control traffic. The ability to control traffic is useful because it
gives the ability to use the honeypot as a stepping-stone to further attacks on
other protected resources or on systems belonging to others on the Internet. To
do this the firewall rules for a honeypot system should permit all traffic in
from the Internet and block most outgoing traffic.
Whether the advantages of a honeypot
outweigh the disadvantages is really specific to the designer. This is so
because every individual has different resources and needs. The following is
some of the advantages of setting up a honeypot. Firstly, one can learn about
incident response; setting up a system that intruders can break into will
provide knowledge on detecting hacker break-ins and cleaning-up after them.
Secondly, knowledge of hacking techniques can protect the real system from
similar attacks. Thirdly, the honeypot
can be used as an early warning system; setting it up will alert administrators
of any hostile intent long before the real system gets compromised. Another
advantage of honeypots is its ability to deceive intruders easily. For example,
the honeypot can be made to provide a banner that looks like a system that can
easily be attacked. The banner may be a version of software where there is a
well-known security flaw.
The disadvantages of the system are as follows. First and foremost is
that the honeypot may be used as a stepping stone to further compromise the
network, may it be the user’s own internal network or some network on the
internet. Secondly, honeypots add complexity to the network. Increased
complexity may lead to increased exposure to exploits. Another disadvantage is
that honeypots must be maintained just like any other networking equipment and
services. Maintenance not only requires that the system be shut off but also
requires just as much use of resources as a real system. Lastly, building a
honeypot requires that you have at least a whole system dedicated to it, and
this may be an expensive resource for some corporations.
There are numerous examples of where
honeypots were successfully used to monitor real hackers. One of the largest
projects currently being undertaking is called the honeynet project (http://project.honeynet.org). This
project includes some 30 security professionals, programmers and psychologists
all working on the project in their spare time. It is run by Lance Spitzner a
security consultant with Sun Microsystems. This honeynet has been used and
continues to be used to gather intelligence on hackers and their tactics.
Another person quite famous in using a network as a honeypot to track down and
observe a hacker was Clifford Stoll in his groundbreaking "Cuckoo's
Egg" story. Stoll let the intruder hang around the San Diego University
network for a year in order to gather valuable information, which was
eventually shared with the authorities. In another case, a group of suspected
Pakistani hackers broke into a U.S.-based computer system in June of 2000. This
system was a honeypot and the hackers were unsuspecting. They attempted to use
the honeypot as a launching pad to attack web sites across India. Within the
span of one month, the honeypot administrators were able to gather, record and
study information from these hackers. This was done by monitoring every
keystroke they made, every tool they used and every word of their online chat
sessions. The honeypot administrators learned how the hackers chose their
targets, what level of expertise they had, what their favorite kinds of attacks
were, and how they went about trying to cover their tracks so that they could
nest on compromised systems.
Some commercial honeypot software
currently available on the market are CyberCop Sting, Mantrap and Spector 4.01.
Spector 4.01 can simulate five different network services and seven traps. The
system can also simulate nine different operating systems. The operating system
and character options combined with the services, traps and password settings
allow for more than 2'000'000 different ways to act and appear making it very
hard to detect. CyberCop Sting appears an enticing target to intruders that
normal users would otherwise overlook. It logs intrusive behavior and creates
3-5 decoy system images on your network that play off an attacker's natural
curiosity to investigate them. Mantrap also creates a decoy environment in
which to trap attackers. It maintains an audit trail of the attacker's
activities, saves log files and records keystrokes.
This paper first addressed the importance of honeypots as well as some legal issues. Honeypots provide a dynamic level of security that cannot be achieved by other conventional methods. Honeypots are also perfectly legal once used correctly. This paper also presented details on how a honeypots should be setup. Some advantages and disadvantages were also discussed and as mentioned, they vary with respect to budget and resources of the company wanting to use one. Finally this paper presented some cases where honeypots were successfully used.
References
Klug
D., 13th September 2000, HoneyPots and Intrusion Detection[online]
SANS
Institute, Available: http://www.sans.org/infosecFAQ/intrusion/honeypots.htm
Merkow M., January 12th 2001, Playing With Fire: Not So Sweet Honeypots [online]
Miami.internet.com, Available: http://miami.internet.com/views/print/0,,9691_559561,00.html
Talisker Network Security Tools, UNKNOWN DATE, Honeypots [online]
Available: http://website.lineone.net/~offthecuff/honey.htm
Graham R., March 20th 2001, FAQ: Network Intrusion Detection Systems [online]
Available: http://www.robertgraham.com/pubs/network-intrusion-detection.html
Multiple Authors, DATE CHANGES, The Honeynet Project [online]
Available: http://project.honeynet.org/