"Honeypot Technology - DOC"
HONEYPOTS LETTER OF AUTHORIZATION BISM 2100 Students, The purpose of this assignment is to expose students to emerging technologies and to create an opportunity for students to utilize their professional written business communication skills. This formal report will be coordinated with a digital video presentation and an interactive web page to provide a bundled resource on this semester’s project. You are being asked to perform a detailed analysis of a product/concept in the area of information security. This semester that project will involve Honeypot Technologies At a minimum, your report should include information related to the following: Introduction to Intrusion Detection and Prevention Systems – What are they? What are they supposed to do? Who are they intended for? What specific technologies are generally considered to be part of these systems? This is a basic information section and provides information related to the journalistic questions. Introduction to Honeypots – What are they? What problem are they trying to solve? Who are they intended for? How successful have they been? Operationalizing Honeypots - What are they supposed to do? How do they work? Issues related to Honeypot implementation – What is involved in installing a honeypot? Can anybody do it? What is available for the home user, small business user, and for corporate America? Specific issues related to risk – Do Honeypots invite trouble? What do users need to know about placement decisions? Entrapment? Roaming Honeypots? Honeynets? A conclusion summarizing the main points of the paper. Suggestions for future research and investigation. The information contained in your report and presentation will be used as a training tool for Information Technology Students and Staff. You will therefore want to present a carefully researched, thoughtfully written, and comprehensive formal report. Use both commercial and academic resources (Minimum of 15 references – 20 needed for full credit). Where appropriate, you should incorporate charts, graphs, or other visual aids to illustrate the facts you present both in your report. This report will be submitted to turnitin.com – anti plagiarism detection software – please ensure that you cite your resources appropriately, use quotations and page number references for quotes and internal citations (Author, Date) for paraphrased content. Written Report: Your managerial report must be submitted through WEBCT. (Each student must submit a copy of his or her team’s output through WebCT). Employ all facets of effective ii business writing and refer back to your text (Chapter 9, Completing Formal Business Reports - pages 1453 – 1466) for the Formal Report Structure. Criteria: A comprehensive formal report employing the 7 C’s of business writing 30 points Thorough research of sources – academic and commercial 10 points Attributions and Citations done properly 10 points Operating Agreement included AFTER the Letter of Transmittal 10 points Detailed analysis covering requirements stated above 30 points Well developed recommendations 10 points Elke M Leeds Professor, BISM 2100 1000 CHASTAIN ROAD • KENNESAW, GEORGIA • 30144 PHONE: 770-423-6584 • FAX: 770-423-6601 iii LETTER OF ACCEPTANCE The Ryan Hanratty Team 1234 Chastain Road Kennesaw, GA 30144 November 8, 2005 Professor Elke Leeds Kennesaw State University 1000 Chastain Road Kennesaw, GA 30144 Dear Professor Leeds, The Ryan Hanratty Team accepts the project on Honeypots, and we would like to thank you for giving our team the opportunity to take part in this research. The Ryan Hanratty Team will have the formal report completed by November 25, 2005. As you have requested, the report will contain a detailed description and analysis of Honeypots. The report will summarize the vast amount of information available on this topic. It will explains what Honeypots are, what they are supposed to do, what they are intended for and what specific technologies are generally considered to be part of these systems. Sincerely, Ryan Hanratty Ryan Hanratty Project Manager iv HONEYPOTS Prepared for Professor Elke Leeds Kennesaw State University 1000 Chastain Road Kennesaw, GA 30144 Prepared by Michele Delio Justin Ferna John Jones Ryan Hanratty Julia Stokes November 25, 2005 LETTER OF TRANSMITTAL The Ryan Hanratty Team 1234 Chastain Road Kennesaw, GA 30144 November 25, 2005 Professor Elke Leeds Kennesaw State University 1000 Chastain Road Kennesaw, GA 30144 Dear Professor Leeds, The Ryan Hanratty Team has completed the formal report as you had requested. In this report you will find a detailed description and analysis of Honeypots. This report summarizes the vast amount of information available on this topic. It explains what Honeypots are, what they are supposed to do, what they are intended for and what specific technologies are generally considered to be part of these systems. We have enjoyed researching honeypots and would like to thank you again for give us this opportunity. At your request, a webpage will be designed with all of the information we have researched, along with a video presentation. Sincerely, Ryan Hanratty Ryan Hanratty Project Manager Operating Agreement The Ryan Hanratty Team Michele Delio Justin Ferna Ryan Hanratty John Jones Julia Stokes Mission Statement Our mission is to build a team of professionals dedicated to working together and teaching our fellow colleagues about the world of Honeypots. Purpose We formed our group based on each individuals experience and how they can contribute to the research of Honeypots. Team Objective We will all work on our designated assignments and work as a group to inform our colleagues based on these guidelines: I. Team Leader and Structure a. Ryan Hanratty is the project manager for the group. b. Ryan will make sure every member of the group is contributing equally and performing to their full potential. c. John Jones will be conducting the research on Honeypots for the group and presenting his findings to the group. d. Julia Stokes will coordinate the formal report on Honeypots. e. Michele Delio will coordinate to the group’s web pages and help other members with their individual web pages. f. Justin Ferna will direct and edit the video presentation. He will contribute his knowledge of video editing to the group in order to get the job done. II. Decision-making a. Every member will contribute their own input on the subject being debated. b. The team as a whole will then take each others ideas into consideration and then vote accordingly. III. Meeting Attendance Policy a. If you are unable to meet with the group at the scheduled time, please contact the project manager as soon as possible via phone or WebCT. b. Make sure to check WebCT for updates on meetings and other related information periodically. IV. Preparation and Performance a. Each member is to be prepared and have all of their work complete for their project requirements. b. Every member is responsible for their own work and needs to contact a group member if they need help. c. Every member is to participate to their full potential and contribute their information to the group members. V. Non-performance and peer-review a. In the result of non-performance, that member will receive a warning for the first infraction. b. After the first warning is received, the member who continues not to perform with the group will dealt with accordingly. c. As for peer-reviews, as long as each member contributes and does their part, they will receive a good peer review. d. In such case, the member does not perform to the maximum potential, the group as a whole will discuss that member’s peer review. VI. Outline Project Requirements a. Research will be conducted in a timely manner in order for the formal report to be done on time. b. Each member will then contribute their portion of the formal report and then the formal report coordinator will produce the final copy. c. When the final report is complete, the group will begin work on the video presentation. d. While the video presentation is in progress, each member will be working on their own web page. e. The web page coordinator will then link all web pages to the homepage. VII. Meeting Schedule a. Meetings will be held at the team member’s discretion. b. The meeting location for our team will be held at Julia’s apartment in University Place. c. Meetings are to be arranged at least 48 hours in advance via phone or email. VIII. Project Schedule with schedule of deliverables a. Research will be completed by November 15, 2005. b. The paper will be completed and submitted by November 23, 2005 by 4:30PM. c. The individuals’ web pages will be completed and submitted to the web page coordinator by November 21, 2005 no later than 12AM. d. The final web page consisting of all members web pages will be completed and submitted by November 23, 2005. e. The video presentation will be completed, and fully edited as well, by December 1, 2005. It will be submitted at that time as well. IX. Signatures of Members a. I have read and am in agreement with all the guidelines stated above. Signature: Michele Delio Date: 11/8/05 Signature: Julia Stokes Date: 11/8/05 Signature: Justin Ferna Date: 11/8/05 Signature: John Jones Date: 11/8/05 Signature: Ryan Hanratty Date: 11/8/05 TABLE OF CONTENTS Page Letter of Authorization ii Letter of Acceptance iv Letter of Transmittal vi List of Illustrations ix Executive Summary x Honeypots 1 Scope of the Report 1 Limitations of the Report 1 Sources and Method of Data Collection 1 Report Organization 1 Introduction to Intrusion Detection and Prevention Systems 2 Introduction to Honeypots 3 Operationalizing of Honeypots 3 Honeypot Implementation 5 Risks of Honeypots 5 Conclusion 6 References 8 LIST OF ILLUSTRATIONS Page Figure 1: Illustration of Decoy based Intrusion Detection 4 ix EXECUTIVE SUMMARY This report analyzes honeypots and enlightens others on the issues related to honeypot technology. What are Honeypots? Honeypots are not designed to solve a particular problem. They are used for detecting hackers, as well as encrypted attacks in IPv6 networks. In general, honeypots act as decoys that lure hackers in. There are many different types of honeypots, but there are two main categories: low-interaction and high-interaction. Low-interaction honeypots are emulated, where as high-interaction honeypots are the real thing. Honeypots are used by anyone that wants to protect themselves from hackers. Advantages and Disadvantages of Honeypots Honeypots are a new technology that serves as security for internet users against hackers. They are designed to mimic systems that hackers would like to break into, but they limit hackers from accessing an entire network. If a honeypot is successful, then the hacker will not even know that they are being tricked and monitored. A honeypot serves several functions when it lures a hacker into the system. An administrator can watch the hacker exploit the system's vulnerabilities. The hacker can also be caught and stopped while trying to obtain root access to the system. There are disadvantages to honeypots as well. One disadvantage is that honeypots are only capable of capturing activity that directly interacts with the honeypot itself. Another disadvantage is the risks that are involved with honeypots. A major risk involved is the risk of having the hacker take over the honeypot and use it against other systems. As with all technology, there are advantages and disadvantages to take in account when deciding whether or not to use honeypots. xi HONEYPOTS This report contains a summary of honeypots, discussing issues such as what honeypots are, their intended use, how they work, and the problems they solve. It will also explain how honeypots are installed and what is available for home and small business users, as well as corporate America. Scope of the Report This report will provide an overview of honeypots and discuss possible methods of implementation, their successfulness, as well as the risks involved. This report however does not include an in-depth discussion on all technical issues that are related to installation and risks. Limitations of the Report The information in this report is limited due to the allotted time given to do an in-depth analysis and the lack of background knowledge prior to this research. Sources and Methods of Data Collection The research done for this report was conducted using strictly internet sources. The information gathered from the internet came from credible sources such as, .org, or organizational, websites. Report Organization This report has five major sections: Introduction to Intrusion Detection, Introduction to Honeypots, Operationalizing Honeypots, Honeypot implementation, and Risks associated with Honeypots. 1 INTRODUCTION TO INTRUSION DECTECTION AND PREVENTION SYSTEMS Intrusion Detection and Prevention systems are tools to help determine if a computer network or server has been infected with an illegal activity. It acts as an alert system much like a “Burglar alarm”. The system alerts the operator of the computer with a warning of the abnormal activity and the operator “tags” the incident. The tag is sent to the Incident Handling team for further investigation. The Incident Handling team is like a team of forensic investigators that search out the event and detect where it came from. They find them through pattern-matching detection and statistical anomaly detection, or “Data Mining” (Phung, 2000). There are two general types of Intrusion Detection Systems. The first of these systems being HIDS, or House Based Intrusion Detection Systems, which detect illegal intrusion on a host system, and NIDS, or Network Based Intrusion Detection Systems, which detect illegal intrusion on network data flows (Lehmann, 2005). A new type of detection is the IPS or Intrusion Prevention System. It monitors a host or a network for malicious activity and then prevents those events from occurring. Other detection technologies consist of the Layered approach which incorporates many different detection and prevention devices for added protection (Watson, 2005). The knowledge based and the behavioral based approaches are two very similar approaches; they tend to have the lowest false alarm rate and are easily handled manually (Debar, 2005). These approaches basically are updated with new vulnerabilities in a network or server and they can immediately detect an abnormality; however they only work well if they are updated often. Honeypots are a product of Intrusion Detection devices; they are decoy servers or systems, and they gather information about attackers to the network or server. 2 INTRODUCTION TO HONEYPOTS The technology of honeypots, first introduced by computer security icons Cliff Stoll and Bill Cheswick, has been around for about thirteen years. In the ever changing field of information technology, honeypots have evolved greatly and are gaining momentum. The electronic age has revolutionized the business world and with it hacking into these systems has become big business as well (Motlekar, S 2004). The basic idea of a honeypot is to set up a server that acts as a decoy. It mimics a system that hackers would find inviting to break into. Once hackers are inside they are tracked, studied, and documented. This information is then used by system administrators in two ways. The first way is the prevention, detection, and response to an attack. The second is the knowledge to create future systems with better safeguards from the beginning. Honeypots are usually implemented by system administrators to collect information about threats to a businesses computer system. Although it is a very simple concept, that uses minimal resources, so virtually anyone can use honeypots to better safeguard important information. There is no question that honeypots have been successful. They have provided valuable information for computer security. Staying ahead of the bad guys is not an easy task, so improvements to systems are essential. Some would say that the honeypot is only as good as the person who is monitoring it. OPERATIONALIZATION OF HONEYPOTS Honeypots are an amazing new technology that serves as security for internet users against hackers. As we stated before, a honeypot is an Internet-attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system. They are designed to mimic systems that hackers would like to break 3 into, but they limit hackers from accessing an entire network. If a honeypot is successful, then the hacker will not even know that they are being tricked and monitored. Most honeypots are installed inside firewalls so that they can be controlled better, but it is possible for them to be installed from outside a firewall (Webopedia 2003). A firewall in a honeypot works in the opposite way that a normal firewall works: instead of restricting what comes into a system from the internet, the honeypot firewall allows traffic to come in, but it restricts what the system sends back out. A honeypot serves several functions when it lures a hacker into the system. An administrator can watch the hacker exploit the system's vulnerabilities. From this they can learn where the system has weaknesses that need to be redesigned. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers (Honeynet Project 2005). The hacker can also be caught and stopped while trying to obtain root access to the system. Honeypots can do everything from capturing online credit card fraud to detecting encrypted attacks in IPv6 networks (Spitzner 2003). Needless to say, honeypots are an effective tool that helps protect internet users from the attacks of malicious hackers. Figure 1: Illustration of Decoy based Intrusion Detection 4 HONEYPOT IMPLEMENTATION Honeypots can be easy to install, but can be complex as well. It depends on the type of honeypot being installed. When first getting involved with honeypots, a low-interaction honeypot should be used. Low-interaction honeypots are a solution that emulates operating systems and services; these are easy to install. They typically require the user to install and configure software on a computer. An example of a low-interaction honeypot is Honeyd (Spitzner, 2003). Honeyd is generally used by home users and some small business users. For more advance users of honeypots, a high-interaction honeypot should be used. High-interaction honeypots are not emulated. They involve real operating systems and services. These types of honeypots are not as easy to install. They are more complex for the home or small business users to install. Commercial versions used by corporate America are a little simpler to install. For this reason, high-interaction honeypots tend to be used by corporate America. Installing this type of honeypot requires the configuring of an entire network of computers that are designed to attack. An example of a high-interaction honeypot would be Honeynet. Honeynet is not a software program, as high-interaction honeypots aren’t, but rather an entire network of computers designed to do one thing: attack (Spitzner, 2003). Both low and high-interaction honeypots attack hackers, just one requires more installation than the other. RISKS OF HONEYPOTS Honeypots can help protect many servers from potential danger but there are many risks to take into account before using honeypots. The first thing you want to do before deploying a honeypot is figure out the legal ramifications, if any, for deploying the honeypot (Kabay, M.E. 2003). Corporations looking to release many honeypots, which is a honeynet, should check with the counsel who runs the organization to see the legality involved with running a honeynet. 5 Obeying the law will help eliminate frivolous lawsuits for running honeypots and throw out cases of entrapment; after all they are hacking into your system in the first place. There are some loopholes in which lawsuits can withstand in court. If you don’t monitor your honeypot and honeynet you can run the risk of it roaming out of your network. In the event this takes place your roaming honeypot could cause a hacker to inadvertently attack your honeypot outside your network, in which he could claim you caused entrapment (Poulsen, K. 2005). This will rarely hold up in court but there’s always a chance it can land a verdict in the hackers favor. Deploying honeypots runs a risk if not deployed properly. Placement and design of a honeypot can determine weather your program works or backfires. Designing the honeypot to look completely different from other honeypots is important for throwing off hackers. Placement is also important because you don’t want it to look obvious you are using a honeypot in your network. If your honeypot is broken it can cause a lot of damages and lead to more open invites for attack. It is relevant to also know honeypots only identify activity that interacts with them, and does not see the activity happening around the honeypot. This can cause harm to the non protected parts of your network (Talabis, n.d.). As long as the risks are taken into account, you should deploy your honeypot with confidence; after all there is no risk without reward. CONCLUSION A honeypot is simply a system program or file. Although Honeypots are known to be great detection and prevention devices, they do have some drawbacks. If they are hacked into they could destroy an entire network protected by that honeypot. Honeypots are good because they are able to identify illegal activities and protect systems and networks from destruction. The problem behind that is they only can detect what is going on with that particular honeypot 6 (Piller and Wolfgarten 2004). Honeypots are good for use in the home, small businesses and corporate America, but they should be implemented carefully and checked often. 7 REFERENCES Lehmann, Dirk (2005) What Is ID? Retrieved November 20, 2005, from http://www.sans.org/resources/idfaq/what_is_id.php Watson, Peter (2005) What is a layered defense? Retrieved November 20, 2005, form http://www.sans.org/resources/idfaq/layered_defense.php Debar, Herve (2005) What is behavior based intrusion detection? Retrieved November 20, 2005, from http://www.sans.org/resources/idfaq/behavior_based.php Debar, Herve (2005) What is knowledge based intrusion detection? Retrieved November 20, 2005, from http://www.sans.org/resources/idfag/knowledge_based.php Phung, Manh (October 24, 2000) Data Mining in Intrusion Detection. Retrieved November 20, 2005, from http://www.sans.org/resources.idfaq/data_mining.php Harrison, John (November 4, 2003) Honeypots: The Hottest Thing in Intrusion Detection. Retrieved November 20, 2005, from http://www.thechannelinsider.com/article2/0,1759,1371605,00.asp Talabis, Ryan (n.d.) Honeypots 101: Risks and Disadvantages. Retrieved November 18, 2005, from http://www.philippinehoneynet.org/dos/Honeypot101_disadvanteages.pdf Honeynet Project. (2005) Know Your Enemy: Honeynets. Retrieved on November 16, 2005 from http://www.honeynet.org/papers/honeynet/ Kabay, M.E. (2003) Honeypots Part I & II. Retrieved on November 16, 2005 from http://www.networkworld.com Motlekar, S. (2004) Frequently Asked Questions. Retrieved on November 16, 2005 from http://www.tracking-hackers.com Poulsen, K. (2005) Use a Honeypot, Go to Prison? Retrieved on November 16, 2005 from http://www.crime-research.org Piller, K., Wolfgarten, S. (2004) Honeypot Forensics. Ernst&Young Risk Advisory Services ppt. Retrieved on November 16, 2005 from http://www.wolfgarten.com/ccc Spitzner, L. (2003) Honeypots: Definitions and Value of Honeypots. Retrieved on November 11, 2005 from http://www.tracking-hackers.com Webopedia. (2003) Honeypot definition. Retrieved on November 8, 2005 from http://isp.webopedia.com/TERM/H/honeypot.html 8