On Fri, Mar 16, 2001 at 08:55:14AM +1030, Ben Nagy wrote:
> > -----Original Message-----
> > From: Michael H. Warfield [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, 16 March 2001 7:51
> > To: Jose Nazario
> > Cc: Michael T. Babcock; Darich Runyan; Jim Kearney;
> > [EMAIL PROTECTED]
> > Subject: Re: HoneyPots: "legal or nor legal"
> [...]
> > I assume you mean the "Honeynet Project".
> >
> > > they're selling point is the boxes aren't even weakened.
> > they're just
> > > regular boxes.
> >
> > More to the point, they are OOB (out of the box) boxes. They
> > are simply installed. No weakening, no hardening. Just a straight
> > install. They also take no effort to advertise the systems
> > or otherwise
> > lure anyone to the systems. They are doing nothing to entice anyone,
> > they are standing out there just like anyone else would who had done
> > a simple install and taken no other efforts.
> My problem with honeypots has always been that by giving crackers a leg-up
> into the DMZ you create a situation whereby you actually increase the
> exposure of the servers you actually care about.
We're talking about two different things here (three, if you count
canaries which really haven't been discussed). The Honeynet project
doesn't HAVE a DMZ and any actual real servers. It's a separate
autonomous network with a limited pipe (ISDN) and nothing inside the
firewall that can't be sacrificed and rebuild.
> Most honeypot creators waffle on about how the "simulated environment" is
> "completely hackproof" and that crackers can't gain full control of the box.
????
Again... Different critter. The Honey net project is not setting
up any simulated environments. In fact, they are falling over backwards
to do nothing out of the ordinary.
> If these are just regular boxes, what's to stop someone rooting it and then
> attacking the network? I assume that a NIDS is supposed to start blaring,
> but they're hardly infalliable (hence the perceived need for honeypots).
In this case, you want them to attack the rest of the network
(local) with an inward facing firewall in place to keep them from attacking
anything outside of the network.
> But then, I don't know if honeypots are there to catch crackers or increase
> network security. If it's the former then I'm not prepared to compromise the
> latter - even a little bit.
"Honey pots" are classically exposed systems designed to lure
intruders that happen to be scanning by. I don't really care for
classical honey pots simply because they attract attention to your site
or network from individuals whom you would rather just ignored you.
In that regard, I consider the classical honey pot to be less than
useless, whether you consider them to be ethical or not. I personally
don't have any question about the legality. If course they are legal and
even the "entrapment" since we are not officers of the law and it's not
being used for criminal evidence. You have to ask yourself the question,
though, why would you want someone scanning through your network to stop
and investigate part of your network more closely? What advantage is that
to you to draw that kind of attention to yourself?
The "Honeynet" and others like it are not intended to increase
the security of a network or to catch crackers. The honeynet is not
designed to be secure in the first place. It's also not designed to be
insecure in the first place either. It's there to STUDY. It's there
to study how secure systems are out of the box. It's there to study
crackers, their behavior, and their characteristics. It's there to
study how these systems are being broken into.
It's also there to provide study material for learn forensics
and investigative skills (see scan of the month on the honeynet project).
How do you really learn to investigate a compromised system if you've
never seen one? They're not out there to catch crackers or to improve
the security of any network other than by learning how networks are being
broken into and how they behave and appear.
I normally add one other distinction in the mix, that of a canary
system. That's a honeypot in the sense of being a lure, but it's a
"protected" honey pot behind your perimeter defenses. It can't be reached
or found by anyone coming directly off the outside network, only from your
internal systems (DMZ or fully protected network). Anyone going after
that critter has already compromised your site. You're just using the
system as an alarm, a canary in the coal mine. An example would be to
direct your critical systems to log syslog to a "canary" system which
is a fake syslog server. The real syslog server is some system sniffing
the network for syslog traffic. Another IDS sits on the side monitoring
for any probes or attacks against the canary. Since the canary is a
protected system and not subject to wandering script kiddies port scanning
your address space, anyone taking pokes at it is already very serious.
That "honey pot", if that's what you want to call it, is a lure to ring
alarms for anyone who has already violated the integrity of your network.
The monitoring IDS systems also quickly give you a pinpoint back to
where your network is compromised, since the canary can only be poked at
from your internal systems.
To warp someone else's bad analogy (and this discussion has had
plenty), the canary system is more like securing your house reasonably
well (normal locks and things) but then having motion sensors planted
in a normal looking safe out in the open to trigger an alarm when someone
opens it. You know not to open it but someone WHO HAS ALREADY BROKEN INTO
YOUR HOME does not. They trigger an alarm. If they have a heart attack
when the bells of Saint Mary go off, oh well... You don't use it to trigger
intentionally harmful counter reactions (in either case), just raise the
normal reasonable BURGLER ALARM.
That increases your security in exactly the same way that any
good IDS system does. In fact, I would consider it a good adjunct to
a well tuned IDS.
Sooo...
My $0.02 worth...
Honey pots on an exposed production network - Bad idea. Legal, but
just a bad idea.
Honeynets. If you have a clear plan of what you want to use them
for and intend on setting up completely autonomous networks with nothing
of value and separate physical access and security to limit the spred of
intrusions, fine, go for it. It is NOT a valid part of an IDS scheme
though and should not be associated with any production networks.
Canaries. Honey pots with the expressed designed intent on
triggering intrusion alarms in reaction to already existing instrusions.
This is a good thing.
> Cheers,
> (Too lazy to do my own research for once - it's early here ;)
> --
> Ben Nagy
> Network Security Specialist
> Marconi Services Australia Pty Ltd
> Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
