Level of participation is one of the feature of honeypot and this level of involvement can be used to measure the degree of relationship of the attacker with the operating system.
Commonly a low-involvement honeypot provides certain fraudulent services [Spi01] and these services can only just be carried out if somebody pay attention on a specific port. It is not possible to get intricate protocols communication with such a very simple solution. An SMTP handshake will not give much useful information because an answering service is not being attentive.
On a low-involvement honeypot there is no real operating system which the attacker can operate and this will minimize the risk as you will see no complexness of the operating-system. This is a drawback as it isn't possible to view an attacker interacting with the operating system. Role of the low-involvement honeypot is very passive as it is like a one-way interconnection where we can only hear, but we do not ask questions ourselves.
Figure 5. 1: Low-involvement honeypot: A low-involvement honeypot does
reduce risk to the very least by minimizing connections with the attacker
Both low-level participation honeypot and unaggressive IDS are equivalent as both the systems won't modify any traffic or interact with the attacker or the traffic circulation. If the incoming packets match their patterns they are used to produce logs and alerts.
5. 1. 2 Mid-involvement Honeypot
A mid-involvement honeypot provides more interaction, but doesn't provide a real operating-system. The artificial daemons have deeper understanding of the particular services they offer and are complicated. And risk will also increase. As the complexity of the honeypot escalates the possibility of the attacker to get the security opening or vulnerability gets bigger. As there are no limitations for the security and logging mechanisms built because of this kind of events, a compromise of this system is still unlikely and certainly no goal.
In the higher level of connections, there's a possibility of more technical episodes and can be logged and analyzed. Generally, the attacker has more opportunities to have interaction and probe the system and gets a much better illusion of a real operating-system.
It is sophisticated and frustrating for developing a mid-involvement honeypot and special treatment has to be taken for looking at the security as all developed imitation daemons must be as secure as it can be. The developed editions must be very secure than their real counterparts, because this is the main reason to replace these with false variants. As each process and service must be understood in detail the knowledge for expanding such a system must be very high.
Figure 5. 2: Mid-involvement honeypot: A mid-involvement honeypot does
interact with the user in a minimal way
5. 1. 3 High-involvement Honeypot
A high-involvement honeypot includes an operating-system and this leads to a much higher risk as the complexness increases and also at exactly the same time, the probability for gathering information, the possible attacks and the attractiveness increases a lot. One of the goal of the hacker is to gain root and also to have the usage of a shell, connected to the web 24/7. This environment is proposed by high-involvement honeypot. When a hacker benefits the access, his real work and the interesting part begins.
To get this level of liberty the attacker must compromise the system, and then he'll have the root rights on the system and can do everything at any occasion on the compromised system. Matching to se, this system is not secure and even the whole machine cannot be regarded as secure. This doesnot matter if he's in a sandbox, in a jail or a VMW field as there may be ways to get out of these software restrictions.
Figure 5. 3: High-involvement honeypot: A high-involvement honeypot has great
risk as the attacker can compromise the machine and use all its resources.
This honeypot is very frustrating and the system should be maintained under observation almost all of the time. If a honeypot is not in order then it isn't of much help and it can become a hazard or security gap itself. As the honeypot can be employed by the blackhats as if it's a real compromised system, it is very important to limit a honeypots usage of the local intranet. As the danger once something is fully compromised can b e reduced, limiting outbound traffic is also an important point to consider.
If a complete operating-system is provided to the attacker, they can upload and mount new data. As all actions can be noted and analyzed, here a high-involvement honeypot can show its power. One of the main goals of any high-involvement honeypot is to gather new information about the blackhat community and legitimates the bigger risk.
5. 1. 4 Overview
There are benefits and drawbacks of each degree of involvement.
Table 5. 1: Summary of each level of
Involvement advantages and disadvantages
The hazard is reduced as much as possible by choosing the lowest as is feasible risk honeypot. While choosing a honeypot and its own level of engagement the required maintenance time must be considered. Honeynets are another possible honeypot architecture.
5. 2 HONEYNETS & NETWORK TOPOLOGIES
Here the talk is about the keeping honeypots in a network and a special, more complex version of honeypots which can also be called as honeynet.
5. 2. 1 Honeypot Location
A honeypot does not require a specific environment to reside in as it is a standard server with no special needs. A honeypot can be located anywhere a server is put but some places are better for a few techniques than others.
Based on the service required, honeypot can be used on the internet as well as on the intranet. If the detection of some criminals in an exclusive network had wished it might be better to place a honeypot on the intranet that can be useful. Since this system can certainly be compromised without immediate knowledge, it's important to set the inner thrust for a honeypot only possible.
A honeypot can be positioned at two locations with Internet as the key concern:
· In front of the firewall
· Behind the firewall (intranet)
There are advantages and disadvantages of each strategy. Because of the fact that positioning a server in front of a firewall is merely extremely hard or not wished it may also be even impossible to choose openly.
The risk for the internal network does not increase by positioning the honeypot before a firewall. Behind the firewall the threat of developing a compromised
system is taken out. This can be a problem if no additional firewalls are being used to protect some resources or if the IP is utilized for the purpose of authentication.
A whole lot of unwished traffic like portscans or attack patterns will be enticed and generated by the honeypot and by putting a honeypot beyond your firewall such incidents does not get logged by the firewall and an internal IDS system won't generate alerts. If not, lot of notifications will be generated on the firewall or IDS.
The biggest good thing about the firewall or IDS and every other resources, is that they want not be changed as the honeypot is beyond your firewall and considered any other machine on the exterior network. Therefore if a honeypot is working it will not increase the threat of the inner network nor would it introduce new risks.
If the honeypot is placed before the firewall then interior attackers can't be located or trapped that easy, particularly if the firewall restrictions outbound
traffic and therefore limits the traffic to the honeypot.
New security risks to the internal network can be launched by a honeypot behind the firewall, in particular if the internal network is not anchored against the
honeypot through additional firewalls.
A honeypot provides a great deal of services; the majority of them aren't used as exported services to the Internet and are blocked by the firewall. It really is inevitable to adapt the firewall rules as well as the IDS signatures by placing the honeypot behind the firewall, as possible wished never to create an alert each and every time the honeypot is attacked or scanned.
If interior honeypot is compromised by an external attacker the biggest problem will happen. He may then access the internal network through the honeypot. This traffic will never be halted by the firewall as it is undoubtedly traffic to the honeypot only, which in turn is granted. It is mandatory for acquiring an interior honeypot, specifically if it is a high-involvement honeypot.
The main reason for inserting a honeypot behind a firewall is to detect internal attackers. By making use of the inner honeypot you'll be able to discover a mis-configured firewall.
It is not possible to place a honeypot before a firewall sometimes because no exterior IP's can be found nor usage of the network before the firewall can be done.
5. 2. 2 Honeynets
A honeypot is a single machine which is utilized for operating multiple virtual operating systems. As the traffic runs directly on to the network it is not possible to regulate the outbound traffic. Preliminary firewall can be used to limit outbound traffic. Such a complex environment is honeynet. Multiple honeypots and a firewall (or firewalled-bridge) to limit and log network traffic is included by an average honeynet. To watch the potential episodes and decode and store network traffic on the preliminary system an IDS can be used.
Figure 5. 5: Various kinds of honeypot topologies: Simple honeypot, honeynet and a
If a firewall is put in front of a honeypot (or multiple honeypots) the risk predicated on the honeypot can be reduced. Both the inbound as well as the outbound cable connections can be controlled; you'll be able to control the network move. As logging of network traffic can be carried out using one centralized location for everyone honeypots it is very easy. The data that is captured need not be located on the honeypot itself and the risk of the data detection by an attacker is eradicated.
More hardware is necessary by presenting new machines to the honeypot itself. Only one machine solution is thinkable. You'll be able to set up multiple exclusive systems on a physical machine by making use of Virtualization software. By this attempt, a firewall can also be placed on a single machine as all virtual honeypots however the security of the solution is not that good compared to different physical machines. If the honeynet is a digital environment, the attacker could be able to use of the virtual machine and the system could be jeopardized. As the attacker cannot start to see the bridge it is safe to put the bridge with firewall capabilities before a honeypot. As the bridge does not have any IP it is not possible to attack the bridge and therefore no harm point is available.
There is difficulty of the surroundings brought up when additional hardware is presented. To be able to provide best security networking and associated tools must be known.