Level of involvement is one of the characteristic of honeypot and this level of involvement is used to measure the degree of interaction of the attacker with the operating system.
Commonly a low-involvement honeypot will provide certain fake services [Spi01] and these services can only be implemented if somebody listen on a specific port. It is not possible to catch complex protocols communication with such a simple solution. An SMTP handshake will not give much useful information because an answering service is not listening.
On a low-involvement honeypot there is no real operating system on which the attacker can operate and this will minimize the risk as there will be no complexity of the operating system. This is a disadvantage as it is not possible to watch an attacker interacting with the operating system. Role of this low-involvement honeypot is very passive as it is like a one-way connection in which we can only listen, but we do not ask questions ourselves.
Figure 5.1: Low-involvement honeypot: A low-involvement honeypot does
reduce risk to a minimum by minimizing interaction with the attacker
Both low-level involvement honeypot and passive IDS are comparable as both the systems will not alter any traffic or interact with the attacker or the traffic flow. If the incoming packets match their patterns they are used to create logs and alerts.
5.1.2 Mid-involvement Honeypot
A mid-involvement honeypot provides more interaction, but doesn’t provide a real operating system. The fake daemons have deeper knowledge about the particular services they provide and are complicated. And risk will also increase. As the complexity of the honeypot increases the probability of the attacker to find the security hole or vulnerability is getting bigger. As there are no boundaries for the security and logging mechanisms built for this kind of events, a compromise of this system is still unlikely and certainly no goal.
In the higher level of interaction, there is a possibility of more complex attacks and can be logged and analyzed. In general, the attacker has more possibilities to interact and probe the system and gets a better illusion of a real operating system.
It is complex and time consuming for developing a mid-involvement honeypot and special care has to be taken for checking the security as all developed fake daemons must be as secure as possible. The developed versions must be very secure than their real counterparts, because this is the main reason to substitute these with fake variants. As each protocol and service must be understood in detail the knowledge for developing such a system must be very high.
Figure 5.2: Mid-involvement honeypot: A mid-involvement honeypot does
interact with the user in a minimal way
5.1.3 High-involvement Honeypot
A high-involvement honeypot consists of an operating system and this leads to a much higher risk as the complexity increases and also at the same time, the possibility for gathering information, the possible attacks and the attractiveness increases a lot. One of the goal of the hacker is to gain root and to have the access to a shell,connected to the Internet 24/7. Such an environment is offered by high-involvement honeypot. As soon as a hacker gains the access, his real work and the interesting part begins.
If you need assistance with writing your essay, our professional essay writing service is here to help!Essay Writing Service
To get this level of freedom the attacker has to compromise the system, and then he will have the root rights on the system and can do everything at any instance on the compromised system. According to se, this system is not secure and even the whole machine cannot be considered as secure. This doesnot matter if he is in a sandbox, in a jail or a VMW box as there can be ways to get out of these software boundaries.
Figure 5.3: High-involvement honeypot: A high-involvement honeypot has great
risk as the attacker can compromise the system and use all its resources.
This honeypot is very time consuming and the system should be kept under observation most of the time. If a honeypot is not under control then it is not of much help and it can become a danger or security hole itself. As the honeypot can be used by the blackhats as if it’s a real compromised system,it is very important to limit a honeypots access to the local intranet. As the danger once a system is fully compromised can b e reduced, limiting outbound traffic is also an important point to consider.
If a full operating system is provided to the attacker, he can upload and install new files. As all actions can be recorded and analyzed, here a high-involvement honeypot can show its strength. One of the main goals of a high-involvement honeypot is to gather new information about the blackhat community and legitimates the higher risk.
There are advantages and disadvantages of each level of involvement.
Table 5.1: Overview of each level of
Involvement advantages and disadvantages
The danger is reduced as much as possible by choosing the lowest as possible risk honeypot. While choosing a honeypot and its level of involvement the required maintenance time must be considered. Honeynets are another possible honeypot architecture.
5.2 HONEYNETS & NETWORK TOPOLOGIES
Here the discussion is regarding the placement of honeypots in a network and a special, more complex version of honeypots which can also be called as honeynet.
5.2.1 Honeypot Location
A honeypot does not require a specific environment to live as it is a standard server with no special needs. A honeypot can be placed anywhere a server is placed but some places are better for some approaches than others.
Based on the service required, honeypot can be used on the internet as well as on the intranet. If the detection of some bad guys in a private network had wished it would be better to place a honeypot on the intranet which can be useful. Since this system can easily be compromised without immediate knowledge, it is important to set the internal thrust for a honeypot as low as possible.
A honeypot can be placed at two locations with Internet as the main concern:
· In front of the firewall
· Behind the firewall (intranet)
There are advantages and disadvantages of each approach. Because of the fact that placing a server in front of a firewall is simply not possible or not wished it is sometimes even impossible to choose freely.
220.127.116.11 In Front of the Firewall
The risk for the internal network does not increase by placing the honeypot in front of a firewall. Behind the firewall the danger of having a compromised
system is eliminated. This can be a problem if no additional firewalls are being used to shield some resources or if the IP is used for the purpose of authentication.
A lot of unwished traffic like portscans or attack patterns will be attracted and generated by a honeypot and by placing a honeypot outside the firewall such events does not get logged by the firewall and an internal IDS system will not generate alerts. Or else, lot of alerts will be generated on the firewall or IDS.
The biggest advantage of the firewall or IDS and any other resources, is that they need not be adjusted as the honeypot is outside the firewall and viewed as any other machine on the external network. Therefore if a honeypot is running it will not increase the risk of the internal network nor does it introduce new risks.
If the honeypot is placed in front of the firewall then internal attackers cannot be located or trapped that easy, particularly if the firewall limits outbound
traffic and therefore limits the traffic to the honeypot.
18.104.22.168 Behind the Firewall
New security risks to the internal network can be introduced by a honeypot behind the firewall, in particular if the internal network is not secured against the
honeypot through additional firewalls.
A honeypot provides a lot of services; most of them are not used as exported services to the Internet and are blocked by the firewall. It is inevitable to adjust the firewall rules and also the IDS signatures by placing the honeypot behind the firewall, as it can be wished not to generate an alert every time the honeypot is attacked or scanned.
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.View our services
If internal honeypot is compromised by an external attacker the biggest problem will arise. He can then access the internal network through the honeypot. This traffic will not be stopped by the firewall as it is regarded as traffic to the honeypot only, which in turn is granted. It is mandatory for securing an internal honeypot, in particular if it is a high-involvement honeypot.
The main reason for placing a honeypot behind a firewall is to detect internal attackers. By making use of the internal honeypot it is possible to detect a mis-configured firewall.
It is not possible to place a honeypot in front of a firewall sometimes because no external IP’s are available nor access to the network in front of the firewall is possible.
A honeypot is a single machine which is used for running multiple virtual operating systems. As the traffic goes directly on to the network it is not possible to control the outbound traffic. Preliminary firewall can be used to limit outbound traffic. Such a complex environment is honeynet. Multiple honeypots and a firewall (or firewalled-bridge) to limit and log network traffic is contained by a typical honeynet. To watch the potential attacks and decode and store network traffic on the preliminary system an IDS can be used.
Figure 5.5: Different types of honeypot topologies: Simple honeypot, honeynet and a
If a firewall is placed in front of a honeypot (or multiple honeypots) the risk based on the honeypot can be reduced. Both the inbound as well as the outbound connections can be controlled; it is possible to control the network flow. As logging of network traffic can be done on one centralized location for all honeypots it is very easy. The data that is captured need not be placed on the honeypot itself and the risk of this data detection by an attacker is eliminated.
More hardware is required by introducing new machines to the honeypot itself. Only one machine solution is thinkable. It is possible to set up multiple virtual systems on a physical machine by making use of Virtualization software. By this attempt, a firewall can also be placed on the same machine as all virtual honeypots but the security of this solution is not that good compared to different physical machines. If the honeynet is a virtual environment, the attacker could be able to break out of the virtual machine and the system could be compromised. As the attacker cannot see the bridge it is safe to place the bridge with firewall capabilities in front of a honeypot. As the bridge has no IP it is not possible to attack the bridge and therefore no attack point exists.
There is complexity of the environment raised when additional hardware is introduced. In order to provide best security networking and associated tools must be understood.
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: