Enterprise networks contain numerous numbers of systems interconnected to one another and finally to the Internet. These systems may comprise of web servers, file servers, databases, workstations etc working coherently with each other. Large businesses, particularly who are based into e-commerce employ large bandwidth and high speed connections to the Internet to fulfil their functional requirements (Culver, B. et. al. 2003). This holds particularly for big organizations whose businesses run mission critical applications through the abyss of the Internet.
Due to this, system administrators or network administrators find it difficult to monitor the traffic within the network. Added to this is that they cannot emphasize heavy restrictions on the data accessibility as this inhibits the functionality of the business.
A good security policy involves updating the operating systems and patching them and the applications on a regular basis. In some organizations the IT management team trains the employees on safe computing while trying to maintain a balance between security and productivity. While deploying antivirus and firewall solutions are absolutely necessary, they have their limitations.
2. The project
2.1 Literature review and project overview
Antivirus scans the files for presence of malware including virus, worms, trojans spywares etc. It basically looks up to its database for a list of known malware which have been updated from the vendor's website to alert for their presence. While they are an absolute necessity, they offer protection only against known attacks. They come in the last line of defence.
Firewalls are deployed at the border of the network, typically between the local area network (LAN) and the Internet. They basically control the traffic flow from the internal network and the Internet and vice versa. Similar to antivirus, firewalls refer to their tables which contain rules to decide whether or not to allow traffic based on the characteristics, source address, destination address, port, users etc. This table is configured and maintained by the system administrator depending on the functionality of the enterprise. Firewalls can also be used on the individual hosts. While just like antivirus, firewalls are also an absolute necessity. The disadvantages of firewalls are as follows.
- They are not effective against threats which arise within the internal network. According to a study, 85% of intrusions are initiated from within the network. (Innella, P and McMillan, O. 2001)
- In cases where there is a sudden spurt of traffic, the firewall is overwhelmed and sometimes results in bypassing of it between the networks.
- Firewalls cannot scan encrypted traffic. Malware or attacks through encryption can bypass firewall. This of course, if the rules in the firewall's table match the criteria of the traffic and allow it.
- If a system within the network is already compromised, then firewalls can do little as it is already configured to act according to its rules tables and if the compromised system is on its 'allow' group, it cannot circumvent it.
Another method implemented in network security is the inclusion of intrusion detection system (IDS) and intrusion prevention system (IPS). They also like antivirus and firewalls look up to their database for signatures of attacks and intrusions. But on the other hand, unlike them, IDS and IPS not only scans individual packets, but also probes the network for signs or patterns of intrusions and attacks. Some IDSs also perform analysis based on statistical and anomalies of the traffic to detect the patterns (Culver, B. et. al. 2003). IDSs are of two types; network based IDS (NIDS) and host based IDS (HIDS). As the name implies, NIDS (sensor) is strategically placed in the network while in HIDS it is placed on individual hosts. They both basically perform similarly; the only difference being the range of area they can essentially function on. They are effective in alerting and preventing intrusions arising from within the network as well as from external sources. However, their shares of disadvantages are as follows.
- They cannot decipher encrypted traffic. If the attacker employs encryption, IDSs and IPSs are totally ineffective and cannot do a thing about it.
- The development of IDSs and IPSs are still in the nascent stage. This means that there is a high level of false alarms generated.
- All the traffic that flows through the sensor which is critically positioned has to be analyzed and the report is generated continuously. On fast gigabit networks, some packets may bypass the sensor unanalyzed. This is one of the main reasons for the high generation of false positive alerts.
- It has been proved in some cases that the deployment of them increases the complexity of network security management more than providing a solution. (Culver, B. et. al. 2003)
While the disadvantages and limitations of antivirus, firewalls and IDSs are mentioned above, they, no doubt form a very vital part in securing the network. It is an absolute necessity to employ all of the above in a large enterprise, of course, in tandem with the expertise of the network security specialists.
However, one feature common in all of them is that that they consult their respective databases for signatures and rules to follow in the occurrence of an event i.e. they are effective only against known threats. They cannot learn on their own through patterns or series of repeated events and subvert attacks accordingly. They all can be referred to as a static line of defence.
Enter honeypots. They are the resources which mimic systems in order to fool hackers into believing that they are the real systems. Honeypots are resources in the network whose value and importance lies in it being probed, intruded and attacked (Spitzner, L. 2003). They offer a wealth of information on how malwares propagate and give extensive light on the modus operandi of hackers.
Honeypots are relatively a new concept in the field of network security. Ever since their inception, the tables have turned. From being in a defensive mode, to laying a trap for hackers and watching their activity from outside like watching fish in a fishbowl from outside. In doing so, attacks on the real productions systems can be averted while obtaining information on the latest tools, methods, challenges and the techniques used by the hackers. Unlike antivirus and firewalls, honeypots can contribute to the security community with the findings and results.
Their primary use is to act as decoy to lure the hackers into believing that they are into actual production systems hence giving time to system administrators to learn and strengthen the actual systems and network in production. Since honeypots interact with the hackers directly, improper configuration and deployment will put the entire network in jeopardy. Honeypots are probably one of the last security tools an organization should implement. This is because if the hacker completely compromises the honeypot system, he may use it to launch attacks on the actual production systems using it as a Petri dish (The SANS™ Institute. 2009).
Honeypots did not gain acceptance widely. Although many security professionals know about it, only a handful deploy it in their networks in a manner with low profile that it does not provide enough resources on the modus operandi of the blackhat community (Joho, D. 2004). It is seldom deployed on a full scale in an enterprise and is generally deployed with minimal capabilities on some private and public companies and is more often confined to research in Universities. Due to a variety of reasons discussed in later sections, honeypots did not make it to being an essential part of today's IT security infrastructure.
I have chosen this area of network security as it has tremendous potential in enhancing the corridor of network security. The project based on this tries to study the feasibility of employing honeypots as the first line of defence and with possible recommendations to improve the development of it.
"In warfare, information is power. The better you understand your enemy, the more able you are to defeat him."- Sun Tzu
According to Lance Spitzner, founder of the Honeynet Project, 'A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource' (Spitzner, L. 2003). A honeypot is a program on a system sitting on a network acting as a decoy for the hackers. It is a bait to capture the malicious activity of the hackers and the malware which propagate in the Internet.
Honeypots mimic real systems and networks. Hackers try to break into honeypots thinking they are the actual systems in production. While they are busy with it, system administrators can study their attacking behaviour, methodologies and use them to strengthen the actual network and systems. Honeypots are meant to be invisible in the network, unknown to anybody. Therefore if there is any activity in it, it has to be of malicious kind.
The uses of honeypots are
- We can monitor the behaviour of hackers
- By keeping the hackers busy, they can be used to subvert attacks on actual production systems and network
- They can be designed to provide early warning of intrusion to the network
- When hackers spend time in honeypots, system administrators can analyze the data which can be used to
- build antivirus signature database
- build spam signatures and hence create new filters
- glean information of botnets and shut them down
- malware collection and analysis
- detect compromised systems
- work in tandem with law enforcement agencies to track the criminals down.
Honeypots can basically be classified into 2 types
- Production/ Research
- Low/ high interaction
Production/ research honeypots
Production honeypots are deployed in commercial organizations. They are easy to deploy, maintain and monitor. Due to their simplicity they offer little insight into the working of hackers (Tber, R. 2005).
Research honeypots are not employed in commercial companies. They are used to extensively study the modus operandi of hackers. They are difficult to deploy, maintain and monitor. They are complex and interact heavily with the hackers bringing security risks to the forefront.
Low/ high interaction honeypots
Low interaction honeypots
Low interaction honeypots offer limited interaction with the hackers. They basically emulate the operating system, applications and the services offered in them. For example, it may emulate a web server running on a particular operating system. The hacker activity is limited to only this level of interaction. The deployment of low interaction honeypot involves installing the program and selecting the various operating systems and services to run so as to emulate them in real-time (Spitzner, L. 2003). Examples of low interaction honeypots are Honeyd, Specter and KFSensor
The advantages and disadvantages of low interaction honeypots are as follows
- They are simple and hence easy to deploy and maintain.
- Since the operating system is emulated, the hacker doesn't have the access to the actual operating system through which he can use to launch attack on the real production systems.
- Since the system is emulated, the hacker interacts less with the honeypot and hence they log only limited information.
- With the recent advent of tools available to detect honeypots like 'Send-Safe Honeypot Hunter', low interaction honeypots are easy to detect.
High interaction honeypots
Unlike low interaction honeypots, high interaction honeypots do not emulate operating system and services. It provides real infrastructure to the hackers. They are complex and involve real operating systems, applications and services. Examples of high interaction honeypots include honeynets, Symantec Decoy Server etc.
The advantages and disadvantages of high interaction honeypots are follows
- They do not emulate the environment. This means the hacker have the real thing and extensive capturing of data can be achieved.
- To learn the entire blackhat community's modus operandi, this is the way to go. The results make no assumptions and capture the data extensively.
- The hackers are allowed to play on real machines with real operating systems and services. If not monitored properly, they may use the honeypot system to launch attack on the actual productions systems.
- They are complex and difficult to deploy, maintain and monitor.
Comparison of low and high interaction honeypots
According to a research study concerning with the comparison of low and high interaction honeypots (Tber, R. 2005), it has been found that both the types have their equal share of advantages and disadvantages. Low interaction honeypots are easier to deploy and monitor but gather little information of the activity due to its limited and emulated interaction while the high interaction honeypots provided more information but with added risks and monitoring requirements.
Considering the information gathered from the various papers mentioned above, following is the outline of the project.
Designing and evaluating the use of honeypots in enhancing the security structure of a computer network.
To design and investigate the effectiveness of a honeypot in luring hackers, gathering data and thereby help in combating network attacks and intrusions.
- To acquire data on various attacks and intrusion to the network by acting as a decoy
- To perform data analysis of the attacks
- To strengthen the actual network by the analysing the data studied
- To formulate a best practice honeypot deployment
To accomplish the above mentioned goals, various tasks need to be completed. The tasks correspond to the objectives as mentioned below.
1. To acquire data on various attacks and intrusion to the network by acting as a decoy
To do this, a lot of background work and research needs to be done.
1.1 Conduct extensive background reading on honeypots and its developments
Honeypots are relatively a new technology. Its usage is myriad in the enterprise scenario. Lot of reading and research needs to be done from the developers of honeypots. Comparison of developments of different generations of honeypots need to be done here giving a perspective of what will the next in line.
1.2 Study the usage of honeypots in the current scenario, why they have failed
Study the papers of various Universities where honeypots were the point of research. Compare this with the deployment of honeypots in the enterprise world with the papers and publications sourced from various governing bodies and converge on a point.
1.3 Develop a honeypot architecture and deploy it with IDS in tandem
Based on the findings of the above results, prototype architecture is designed keeping in mind the level of exposure, limitation, type of honeypot used and where is it deployed. This is a very important step as the level of results depends heavily on this setup.
2. To perform data analysis of the attacks
This is the most important step as it is here the activities are dealt with. The key to perform extensive analysis on the data gathered involves the following steps. (Honeynet Project. 2006)
- Data control
- Data capture
- Data analysis
1. Data control
This deals with the containment of the activities of the hackers. No matter if a low interaction or a high interaction honeypot is used, there is always a degree of risk involved. The hacker may knowingly or unknowingly compromise a non-honeypot system. Therefore, the honeywall (the gateway) should be placed behind a reverse firewall. Reverse firewall allows the hacker to gain access into the honeypot but restricts the traffic going back. Figure 2 illustrates this.
2. Data capture
It is the process of logging and monitoring the activities of hacker. Snort is used as IDS here. I've had previous experience with a Windows ported version of Snort called 'WinSnort'. It was very difficult to install, configure and manage particularly because it was meant to be for UNIX. This added to the reason to deploy the honeypot in Linux rather than on Windows platform.
3. Data analysis
This is the most important part of the process. Here the logs are scanned and patterns are formed. Some of the parameters to analyze are
- Source IP address
- Destination IP address
- Destination port
- Date/ time of attack
- Initial commands of activity
Although the parameters may be trifle to consider individually, they offer a wealth of information on the activity when they are analyzed coherently. Honeypots: Tracking Hackers by Lance Spitzner (Spitzner, L. 2003).
3. To strengthen the actual network by the analysing the data studied
After deploying the honeypot, capturing the activities and analysing them, the next logical step is to use this information to strengthen the actual network.
An option here is to redeploy the honeypot after strengthening the network and analysing it again. However, it is highly dependent on the time available.
4. To formulate a best practice honeypot deployment
After extensively studying the data and the results, a best practice method of deploying honeypots is formulated. This can either be subjective or objective to a user vying for employing honeypots into a network depending on the model.
Choice of honeypots
I have considered Honeyd. It is open source and is a low interaction honeypot. It is developed by Niels Provos, author of the popular book Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Honeyd works on the concept of monitoring unused IP address space. This means if an attacker tries to access an unused IP address, Honeyd intercepts the connection attempt and interacts with the attacker pretending to be the victim (Spitzner, L. 2003). As mentioned earlier, being a low interaction honeypot, it can emulate operating system, applications and services. But Honeyd can do more than that. It can blend into the network in use according to the resources running in them. Honeyd is also resilient to anti-honeypot tools to a certain extent. In the case if it is being scanned for OS fingerprinting, it emulates the IP stack accordingly as real OSes would do thereby spoofing the replies to the hacker.
There is also a consideration to evaluate a high interaction honeypot called honeynet. A honeynet is a high interaction honeypot with real systems, applications and services for hackers to interact with (Honeynet Project. 2006). Roo is a GenIII (3rd generation) honeypot developed by the Honeynet project. It comes in a CDROM with all the tools and functionalities necessary to create maintain and monitor the honeypot.
Choosing a platform
Honeyd is designed for the UNIX platform and a version of it has been ported to Windows called 'WinHoneyd'. UNIX platform provides more flexibility than a Windows platform hence offering a wide area as a playground and therefore is the unanimous choice.
Roo is OS independent and comes in a bootable CDROM. The iso image can be downloaded for free from the honeynet website at https://projects.honeynet.org/honeywall it is based on Fedora Core 3. (The Honeynet project. [No date])
The architecture for deployment
This project will be based on virtual machines using the free VMware (as recommended by Roger A. Grimes through email, author of Honeypots for Windows: The Experts Voice).
The actual deployment of it can be considered of three types
- Using virtual machines only Here, the entire project is carried out in a virtual environment; including the attacks as replicated by the hackers. This doesn't fulfil the idea behind this project and is considered to be the last option.
- At my residence Deploying the honeypot at my residence is a feasible option. This can be done by placing the physical machine in a de-militarized zone (DMZ) as my router (Belkin) supports this feature.
- At the University Deploying at the University has a lot of advantages compared to the above two options as Universities are known to a continuous target for hackers as concluded in the paper (Culver, B. et. al. 2003). However a proper authorization needs to be obtained from the IT administration after briefing them about this setup.
3. Required resources
The resources that will be required for this project are
- A PC with a good amount of RAM (to run the virtual machines)
- Ubuntu 9.04 Jaunty Jackalope workstation
- VMware workstation for Linux
- Roo honeywall
- Snort IDS
- Internet connection
4. Project timetable (Gantt Chart)
This proposal has presented various reasons and limitations why honeypots did not make it to be one of the essential parts of IT security infrastructure. It also tells us that honeypots is not a solution in lieu for any existing security application. Honeypots complete the security corridor of a network. The project aims to see if it really can be effective when it is deployed in conjunction with an IDS called Snort. Building, configuring and deploying a honeypot requires lot of insight as improper configuration of it jeopardizes the entire network. The project will greatly emphasize on the usability and its effectiveness in combating network security incidents.
- Culver, B. et. al. 2003. The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks. IEEE.[online]. Available from: http://www.tracking-hackers.com/papers/gatech-honeynet.pdf [Accessed 15 May 2009]
- Honeynet Project. 2006. Know Your Enemy: Honeynets. [online]. Available from: http://old.honeynet.org/papers/honeynet/ [Accessed 14 May 2009]
- Innella, P and McMillan, O. 2001. An Introduction to Intrusion Detection Systems. [online]. Available from: http://www.securityfocus.com/infocus/1520 [Accessed 16 May 2009]
- Joho, D. 2004. Active Honeypots: Master Thesis in Computer Science. [online]. Available from: http://www.ifi.uzh.ch/archive/mastertheses/DA_Arbeiten_2004/Joho_Dieter.pdf [Accessed 15 May 2009]
- Riden, J. and Seifert, C. 2008. A Guide to Different Kinds of Honeypots. [online]. Available from: http://www.securityfocus.com/infocus/1897 [Accessed 12 May 2009]
- Spitzner, L. 2003. Honeypots: Definitions and Value of Honeypots. [online]. Available from: http://www.tracking-hackers.com/papers/honeypots.html [Accessed 16 May 2009]
- Spitzner, L. 2003. Honeypots: tracking hackers. Addison-Wesley, pp. 452. [online]. Available from: http://books.google.co.uk/books?id=xBE73h-zdi4C&printsec=frontcover#PPA320,M1 [Accessed 18 May 2009]
- Tber, R. 2005. A Practical Comparison of Low and High Interactivity Honeypots. [online]. Available from: http://www-sop.inria.fr/maestro/MASTER-RSD/html/2004-05/tber.pdf [Accessed 16 May 2009]
- The SANS™ Institute. 2009. Intrusion Detection FAQ: What is honeypot and how it is used? . [online]. Available from: http://www.sans.org/resources/idfaq/honeypot.php [Accessed 14 May 2009]
- The SANS™ Institute. 2009a. SANS Webcasts. [online]. Available from: https://www.sans.org/webcasts/index.php?21 [Accessed 14 May 2009]
- The Honeynet project. [No date]. Welcome to Honeywall project site. [online]. Available from: https://projects.honeynet.org/honeywall [Accessed 17 May 2009]