Honey Pots and Network Security Essay

Abstract Honey pots are specially designed to attract hackers for gathering data and hence alert the observers, and offer them an insight about what the intruder is attempting. Honey pots decoy attackers to apparently exposed but well observed computer system to learn about the strategy and tools used by the hackers and to improve the system security accordingly. However, the system built-up with the good intentions may sometimes be used in foul applications. The paper discusses about the honey pots in detail. The paper provides information what are honey pots, different types of honey pots, advantage and disadvantage of using honey pot. The paper also discusses about the security implications of honey pots. The later part of the paper provides information about how to create a honey pot, implementation of different honey pot tools and finally explains how honey pots secures a system from hackers. Honey Pots and Network Security Introduction ‘Honey pots’ are not new concept introduced for network deception. The concept has been deployed since long back from the introduction of internet. Challenges faced by the technology are higher than the advantages reaped. As the technology grows, the need for protection from the negative impacts has increased tremendously. Security personnel’s are more considered in protecting the crucial data from the attackers. Researchers and security specialist have been using various types of Honey pots, since the inception of the internet. Like real Honey pots, that attracts insects, the technical Honey pots acts as an attractive target to internet hackers. Though honey pots are not the real solution for the protection of the networked system from the illegal sources, they probably help in detecting the invader and alert the net administrator for future protection. What are honey pots? Honey pots are a bait source, which act as a genuine target inventing ambush from the invader. They are a tricky system, which tries to lure an invader away from critical systems. Honey pots acts a watching dog and manages to captures data from the hackers. The system is usually stored with superficially valuable information, which is actually fallacious and would not be eschewed by an honest user. Thus, any access to the Honey pots is considered as hacker. The predominant purpose of honey pot is to divert the attackers, to prevent the actual system, and to gather information about the invader for future research and development. In addition, it is also useful in providing information about the modus operandi and the tools of attack. Honey pot is an information system resource and any kind of system can be placed within the honey pot. Standard production system can be placed under honey pot to provide hackers a feeling of real system. In general, Honey pots act as an effectual method in preventing the illegal measures carried out in accessing the significant information on the system. The noteworthy features of the honey pots are first, they are user friendly and extremely flexible, secondly, honey pots discover the invaders whereabouts and activities and finally they invite the most recent vulnerabilities to the system, which helps the examiner to keep him more updated and help in to build a strong network protection. Types of honey pots Research Honey Pots Research organizations, educational institutes, or non-profit organizations run Research Honey Pots to collect information about the tactics and motives of the hackers. These organization attempts to spread awareness of the threat and vulnerabilities created by the hackers in the real network. These are considered high interaction honey pots, which involve high monitoring process and gather numerous information about the intruder’s activity, the method and technology used by the invader in breaking the system and further monitor their activity for future research. Production honey pots Production honey pots are used in the organizations within the production network linked with the production servers to improve the security measures. These â€Å"low-interaction honey pots are easier to deploy and provide little information about the attackers unlike research honey pots.† (Andress, A.2003). Production honey pots are similar to the conservative methods of invasion detection method. They discover the malicious activity performed by hackers and alerts the system administrator by capturing minimum data from the intruder. Advantages in using honey pots Honey pots are successful in capturing invaders prying the system. Hackers can be easily distracted to system targets, which they cannot damage. This provides researchers enough time to probe into hackers details and to respond them. Finally, â€Å"this system allows the researchers to examine the hacker’s action and help them to improve the system protection.† (Wible, B, 2003). Honey pots would be able to accumulate considerable amount of data about the invader during invasion. They gather all the information about the illegal activities performed by the invader. Honey pots though able to collect only small amount of data’s from the invaders the data collected by them are of higher value. Hence, honey pots serves as an easier and a cheaper tool in collecting all the malicious activity be the intruder. Honey pot is very simple and easy to implement. It dose not involves any complicated measures like intricate algorithms, tables or signatures. It is cheaper and provides enough time to the administrators to research on the information gathered. Honey pots also avert hackers from entering the system, as hackers may be confused with the real system and honeyed system and thus stop entering the network to avoid wastage of time. Disadvantages of Honey Pots Honey pots are not highly successful in its application. There are no proper legal standards devised for using Honey pots. The operating system using honey pots are prone to severe attacks when the attackers are triggered by denial of service. E.g., a disturbed denial of service attack against cnn.com that came from US. A high level of expertise is needed to the researchers and scrutinisers to use the system. Moreover, Sophos, 2004 says â€Å"hackers can use honey pots itself to attack our own system.† Honey Pots and Network Security Honey pots gather only limited information, as they will be able to track only the attackers who invade the system and cannot capture any other information against other network. A Typical Model of Honey pot with firewall Honey pots are premeditated to imitate like the real system in which the hacker would possibly invade in to capture information, but actually Honey Pots and Network Security Types of malicious attacks prevented by honey pots Honey pots help in preventing the following malicious attacks †¢ Spammers in e-mail address †¢ Spammers in proxy server †¢ Spammers in SMTP †¢ Worms Security implications of honey pots Application of Honey pots in the system has numerous advantages. The most significant implication of Honey pots is that it reposes confidence on the hackers offering a false impression on the existing security system and prevents the likelihood of the attack or probe to the real machine. Often attackers scrutinize a large block of computers looking for fatalities. Even attackers focusing a particular company will scrutinize the openly accessible information owned by the company searching for a mechanism as a starting point. Honey pots reduce this possibility of an attacker selecting crucial information as a target, detect, and records the initial scan as well as any subsequent attack. Like other invasion detection measures, there are no bogus positive with Honeypots. For example, IDS products such as Padded cells take a different approach. It waits for traditional IDS to detect an attacker. The attracters usually create a fake positive to a considerable amount before attacking any system. This is because there is likelihood that valid traffic will match the characteristics the IDS used to detect attacks. In Honey pots, all communications are suspected simply because the device is used only for attacking hackers. Thus, Honeypots can detect more hackers than any other invasive device. Observers and event trackers on the honey pot detect these unauthorized accesses and collect information about the attracter’s activities. The purpose of the honey pot is to distract an attacker from accessing significant information and to collect information about the attracter’s activity, and hearten the attacker to reside on the system for a long time for administration to take action. This helps in identifying the active and passive vulnaberitalies, which attack the operating system by recording the attacker’s details. The details recorded are stored for a month’s time allowing the researcher enough time to probe on hackers details. Requirements to create honey pot â€Å"Honey pots, an instruction detection tool used as a target for hackers is usually deployed in a system, which can be either a Cisco router or Ethernet Switch or HP Jet direct card†, says Roger A. Grimes. To implement an Early Warning system honey pot needs to create an attractive information source on the port so that it would be more flexible to trap invaders. According to Roger A. Grimes, â€Å"to implement honey pot in windows TCP ports 135, 137-139 and 445 and to implement in UNIX / LINUX host and RCP ports 22,111 are required.† How to create honey pot? There are numerous ways to deploy honey pot in a system. Lance Spitzner says, â€Å"an old system such as Windows XP without service pack or Red Hat 9.0 or Sussex 9.0 can be made use for this purpose were a copy of default OS can be installed.† The invaders can be easily trapped to such a setup, as it would like real and not like a honeyed system. Though some people deploy honey pots in virtual machines, as it is quicker in gathering information, the hackers would possibly identify it. However, the best tool for tracking invaders is open source honeyed system. This is highly complicated but more effective method of intrusion detection. However, for an effective monitoring sebek can be installed. How to implement different honey pot tools? Low interaction honey pots can be deployed in the system with windows 98 or 2000 in shorter period. They act like a machine working for back office of the company and offer bogus services like sending e-mails in http format and in ftp, imap or telnet. An example of back office alert from hacker, â€Å"BO>host 11.11.11.1 New host: 11.11.11.1.41256 BO: 11.11.11.1>dir ———Packet received from 11.11.11.1 port 41256—— Error 65: The network path was not found opening file c:* ———End of Data———- Honey Pots and Network Security BO: 11.11.11.1>reboot ———-Packet received from 11.11.11.1 port 41256——– Naughty, naughty. Bad hacker! No donut! ———End of Data———- BO: 11.11.11.1>quit† (Source- Marcus J. Ranum, 2002) In addition, spam honey pots can also be used for trapping invaders. The operating system rather than implementing automatic mailing system can alter the delivery method to manual mode. Thus, all mails from the different sources arrive and the suspicious one drops in the spam mode. Hence, mails are only received and not replied. â€Å"Another honey pot tool called as ‘Netcat’, which is used for gathering information from the port. â€Å"E.g. nc – 1- p 80 > capture. Txt† â€Å"This honey pot tool arrest all the invasion to the port and send them to the output file and easily strap up into a .BAT file.† (Marcus J. Ranum, 2002). How dose honey pots secure a system? Honey pots by its implementation tend to track the I.P address of the invader and gradually prevent the network from the invasion of the hacker from that I.P address. This is done by using lots of deception method like making the invader wait for a long time in the system, making the windows size to zero etc. This is mainly done to baffle the hacker and to squander his time and resource. However, during this process the network administrator would be in position to identify the hacker’s movement and will have time to stop the hacker or to respond to the hacker. â€Å"Unlike other intrusion detection method honey pots do not spawn huge amount of data’s but provide little data with high value and trap all new and strange attacks such as polymorphic shell code, work in encrypted and IPv6 environments†, says Roger A. Grimes. Honey pots also acts as an exceptional event-reporting tool since they can be easily disconnected form online and taken for detailed study without affecting the ongoing business activity. Conclusions A successful deployment of honeypot would act as an impediment to the attacker from reaching the actual information meanwhile provides information to the network administrator to defend the attack and protect the system from damage. In addition, successful baiting would endow with information about the invaders activity to the defender thus augmenting the security procedures, which includes firewall and Intrusion Detection System. Honey pots have tremendous potential for the computer security community. Like any new technology, they have some challenges to overcome. Most likely, none of these problems will ever be completely solved or eliminated. â€Å"However, one can witness a lot of development on the subject within next 12 to 18 months as many new developments that help to address these and other issues are forthcoming†. (Piazza, P. 2001) Bibliography Lance Spitzner, 2002, â€Å"Honeypots-Tracking Hackers.† Roger A. Grimes. 2005. â€Å"Honey pots for Windows†. Piazza, P. (2003, December). A System for Bettor Security. Security Management, 47, 24+. Sophos Reveals Latest ‘Dirty Dozen’ Spam Producing Countries. (2004, September 4). Manila Bulletin, p. NA. Wible, B. (2003). A Site Where Hackers Are Welcome: Using Hack-In Contests to Shape Preferences and Deter Computer Crime. Yale Law Journal, 112(6), 1577+.