Leon C Perrin
27 March, 2012
CMPT 115 - 3
Honeypot Usage in Network Security
Prof. Norm Turgeon
The internet has become a scary place for a computer to be without some protection. Software patches, anti-virus software, software and/or hardware firewalls, and physical routers or gateways are all considered necessary for even the most low level internet user. Most internet service providers consider including routers and/or anti-virus software with their access, as a cost of doing business for less than tech savvy users. With all the threats available on the internet, one of the most important areas for a network administrator to consider is unauthorized use. Launching attack's on other systems, stealing data, storing contraband files, or toolkits to do the same to other systems are all hazards of unauthorized use. Honeypots are one method to learn about how someone might abuse a network.
To better understand my research question, (How are Honeypots used for network security?) I divided a wide range of research into three categories: honeypot configurations, data capture and analysis, and implications of honeypot usage. I began with honeypot configurations to get a better understanding of what they are, and how they are used; this will set the tone for the rest of my research. To give weight to this type of structure, I also divided this category into what research says are the more relevant topics in this category. They are honeypots, honeynets, and virtual honeynets.
Several researchers (Saini, Mishra, Pratihari & Panda, 2011) agree that honeypots are important for capturing malicious network traffic. They argue that “The goal of a honeypot is simply to learn about attackers” (p. 2422). This is important for honeypot usage for network security, because it states simply the purpose for implementing them. Jain & Singh (2011) expand on this idea with their definition: “Honeypots are a computer specifically designed to help learn the motives, skills and techniques of the hacker community” (p. 612).
Information system security group SANS describe the first aim in a honeypot configuration: “The Honey Pot system should appear as generic as possible” (para. 6). They expand on this by explaining “it should appear to the potential intruder that the system has not been modified or they may disconnect before much information is collected” (para. 6). These systems need to appear as innocuous as any other system on the network. Jain & Singh (2011) goes on, to explain how a honeypot would be different,“running services are meant to attract the attention of attackers so that they spend valuable time and resources will be used to try to exploit the machine while the attacker is being monitored and recorded by the honeypot. The idea behind these systems is to provide systems or services that deceive the intruder. Such systems help in learning the methods that intruders use and they also can be viewed as a decoy to distract hackers from the real systems and services” (p. 613).
Lance Spitzner (2006) of The Honeynet Project defines honeynets best as “a network that contains one or more honeypots. Since honeypots are not production systems, the honeynet itself has no production activity, no authorized services. As a result, any interaction with a honeynet implies malicious or unauthorized activity. Any connections initiated inbound to your honeynet are most likely a probe, scan, or attack. Any unauthorized outbound connections from your honeynet imply someone has compromised a system and has initiated outbound activity” (para. 6) He explains honeynets as high interaction systems. By mimicking a production network, the deception of malicious users or attackers is more thorough (2006).
Virtual honeynets are multiple virtual machines running on one computer with virtualization software, such as VMWare (Magalhaes, 2004). Because of the reduced physical hardware, and centralized management, virtual honeynets are becoming the standard for network security (Spitzner).
There are drawbacks to this kind of honeynet, however. One of the main issues with using VMWare is being identified as a virtual system, known as fingerprinting. Spitzner (2003) explains “Once the badguys have hacked the systems within your virtual Honeynet, they may be able to determine the systems are running in a virtual environment” (para. 4). Magalhaes (2004) explains “if the intrude knows that the system is a honeynet he will be able to dismantle the whole system with one blow” (para. 8).
A typical network, with a honeynet deployments
Where in honeypot configurations, I found that they can range from complex, to plug and play, the main thrust of honeypots was to disguise the systems intention to collect data about the intruders. In the next section I will continue to discuss how honeypots are used in network security, through the data captured. Using the same structure as my first category, I will begin this section with the software used.
Data Capture and Analysis
There are many different applications used by honeypots to capture data, and for good reason: “one of the primary lessons learned for Data Capture has been the use of layers. It is critical to use multiple mechanisms for capturing activity. Not only does the combination of layers help piece together all of the attacker's actions, but it prevents having a single point of failure. The more layers of information that are captured, at both the network and host level, the more that can be learned” (Spitzner, 2006, para. 9). The most important piece of software is of course the operating system, and both UNIX and Windows Server have built in logging capabilities (Even, 2000). Even goes on to explain sniffer tools: “Sniffer tools provide the capability of seeing all of the information or packets going between the firewall and the Honey Pot system. Most of the sniffers available are capable of decoding common tcp packets such as Telnet, HTTP and SMTP. Using a sniffer tool allows you to interrogate packets in more detail to determine which methods the intruder is trying to use in much more detail than firewall or system logging alone” (para. 14).
It is important to discuss how data is captured by honeypots. Researchers such as Jain and Singh (2011) detail some of the modifications to a Linux shell: “Modifying syslog- The first thing that hackers do after compromising a system is disable the systemlogger and/or delete logs in order to cover their traces. The syslog source code was therefore modified to read a configuration file from a non-standard directory with a nonstandard name. This configuration file was setup to send all log messages to a remote syslog server. After make the necessary changes to the source code, the compiled binaries (syslogd and klogd) were renamed to something less conspicuous like lpd (a print server). The default syslog server was left running without any modifications. Bash (the default shell on Linux) source code was also modified to send all the shell commands and keystrokes to a separate log file on the gateway computer. A separate client-server setup was developed to send these logs to the gateway. A second layer of bash logging was also added by modifying bash to spawn a script session every time a bash command was executed. A script session captures both the commands and their output to a file which is then logged to the syslog server” (pp. 615-616). The majority of data collected will have to be analyzed regularly. All data collected will be useful for learning about intrusions because “any interaction with a honeynet implies malicious or unauthorized activity” (Spitzner, para. 4, 2006).
In the final topic of “how honeypots are used for network security,” I'm going to be examining the implications of honeypot usage. From the research in my first two categories, it is clear that honeypots are an invaluable tool for network security. I will be researching legal implications of honeypots, ethical issues with honeypots, and the risks posed to a production network by introducing a honeypot system.
Implications of Honeypot Usage
The legalities of administering a network are complex enough, without introducing potentially criminal activities in a honeypot. Motlekar notes in his research that there is a potential of liability if an unauthorized user does damage to another system, while staging from your honeynet (2004). The Department of Justice's Richard Salgado explains “In the U.S., there are privacy laws that can apply to the operation of a honeynet. The two federal statutes most worthy of discussion here are the Wiretap Act and the awkwardly named Pen Register, Trap and Trace Devices statute”(p. 227). Both laws pertain to authorized and unauthorized users, making prosecution that much harder.
The use of honeypots also present ethical issues. Is a honeynet put in place to protect your network, or is honeypot usage inviting trouble (Salgado, 2004)? Research from Radcliffe (2007) also states “The entrapment issue arises with honeypots because the intention of a honeypot is to attract intruders. This is similar to law enforcement using undercover agents masquerading as drug dealers to attract drug user” (p. 16). The issue of ethics in honeypot usage go beyond the scope of this paper, but it will be interesting to see the direction that the law goes into.
One of the other considerations in honeypot usage is network safety. Jain and Singh (2011) report simply, “Honeypots can be said to generate a certain degree of security risk and it is the administrator’s responsibility to deal with it” (p. 614). Combining this with Spitzner's (2010) observations “It is expected for attackers to gain privileged control of the honeypots” (para. 8), and the danger posed to a production network becomes clear. Without careful monitoring, and implementation, honeypots can be used against you.
I wanted to study how honeypots are used to help protect networks, because I am interested in pursuing the field of Information Security upon my graduation. I organized my research by looking at honeypot configurations, then the data captured, and it's analysis, and finally the implications of honeypot usage. In my first category, I learned that the point of deploying a honeypot is to decieve an intruder into believing that it is not a honeypot. In the second category, I found that logging needs to be set up to track activity in the honeypot. The final category shows that while there are many benefits to using honeypots, there are downfalls that need to be considered.
Honeypots are just one of the tools that should be used by someone that wants to learn about the threats that may be posed to a network. The constant evolution of technology creates a cat and mouse game between hackers and system administrators. Based on this research, I would suggest that administrators wishing to implement a honeypot, have a thorough plan, a carefully researched honeypot deployment, and a clear goal towards the information that is being sought. It will be interesting to see how courts will side when rights to privacy issues surrounding honeypots start being tried.
Even, L.. Intrusion detection faq: What is a honeypot?. N.p., 2000. Web. 25 Mar 2012. <http://www.sans.org/security-resources/idfaq/honeypot3.php>.
Jain, Y. K., & Singh, S. (2011). Honeypot based secure network system. International Journal on Computer Science and Engineering (IJCSE),3(2), 612-620.
Magalhaes, Ricky. "Understranding Virtual Honeynets."windowssecurity.com. TechGenix Ltd., 07/23/2004. Web. 25 Mar 2012. <http://www.windowsecurity.com/articles/Understanding_Virtual_Honeynets.html>.
Motlekar, Shaheem. "Frequently Asked Questions."www.tracking-hackers.com. N.p., 25 Mar 2004. Web. 26 Mar 2012. <http://www.tracking-hackers.com/misc/faq.html
Radcliffe, Jerome. "CyberLaw 101: A primer on US laws related to honeypot deployments." The SANS Institute. N.p., 2007. Web. 26 Mar 2012. <http://www.sans.org/reading_room/whitepapers/honors/cyberlaw-101-primer-laws-related-honeypot-deployments_1746>.
Saini, H., Mishra, B. K., Pratihari, H. N., & Panda, T. C. (2011). Extended honeypot framework to detect old/new cyber attacks. International Journal of Engineering Science and Technology (IJEST),3(3), 2421-2426.
Salgado, Richard. "The Honeynet Project: Our Book." The Honeynet Project. N.p., 29Apr 2004. Web. 26 Mar 2012. <http://old.honeynet.org/book/ch08.pdf>.
Spitzner, Lance. "Know Your Enemy: Defining Virtual Honeynets." honeynet.org. N.p., 2003. Web. 26 Mar 2012. <http://old.honeynet.org/papers/virtual/>.
Spitzner, Lance. "Know Your Enemy: Honeynets."honeynet.org. N.p., 2006. Web. 25 Mar 2012. <http://old.honeynet.org/papers/honeynet/>.
Spitzner, Lance. "Problems and Challenges with Honeypots."Symantec Connect. Symantec, 2010. Web. 26 Mar 2012. <http://www.symantec.com/connect/articles/problems-and-challenges-honeypots>.
Contributer, Guest. "SolutionBase: Configuring a Honeypot for your network using KF Sensor | TechRepublic."TechRepublic. N.p., 27 Jul 2005. Web. 26 Mar 2012. <http://www.techrepublic.com/article/solutionbase-configuring-a-honeypot-for-your-network-using-kf-sensor/5786723>.
Spitzner, Lance. "Know Your Enemy: GenII Honeynets."The Honeynet Project. N.p., 12 May 2005. Web. 26 Mar 2012. <http://old.honeynet.org/papers/gen2/>.Spitzner, Lance. "The Value if Honeypots, Part Two: Honeypot Solutions and Legal Issues | Symantec Connect Community." Symantec Connect. N.p., 23 Oct 2001. Web. 26 Mar 2012. <http://www.symantec.com/connect/articles/value-honeypots-part-two-honeypot-solutions-and-legal-issues>.