What is a honeypot?
Honeypots are systems used to gather information about the activity of attackers or intruders to a system. It acts like a trap to detect how a user approaches/intercepts a system, how they behave once intercepted and stores these data into its database (here the database means a storage area, not a collection of data records).
What makes a honeypot?
Building a honeypot requires a PC with more preferably a UNIX based operating system and a sniffer tool. (A sniffer tool provides the capability of seeing the traffic going between the firewall and the honeypot)
Where can honeypots be placed?
Honeypots can be placed anywhere in the system. They may be placed outside the DMZ, inside the DMZ or even on the internal network.
Honeypots are additional security system. Honeypots differ from firewalls in that honeypots do not filter the traffic passing them and honeypots differ from intrusion detection systems (IDSs) in that honeypots are not 'alarm-borne' devices to predetermined threats.
Honeypots are used only for collection of abnormal behavior of an individual and to record the behavior if matched with the general behavior of a predetermined attacker.
The actual placement of a honeypot may vary depending on the requirement or the service expected from them. For number of reasons many companies use many honeypots (within the internal network, outside the DMZ or within the DMZ).
The placement of a honeypot, as in the case of firewalls and IDSs, is important. For example, a honeypot that is established within a DMZ would not record the abnormal behavior of an individual/traffic directed towards a network) before the traffic reaches the DMZ. Therefore, the malicious behavior of an attacker attempting to attack a DMZ cannot be recorded.
On the other hand, if honeypots are placed outside the DMZ (both before the DMZ and within the internal network), the behavior of an attacker before a DMZ and within the internal network could be recorded.
What are the goals behind setting up a honeypot?
Any honeypot (regardless of its position within a network) is expected to provide two main goals:
1. To record and learn how an intruder/attacker may penetrate a system.
2. Gather forensic information for the prosecution of intruders.
Honeynets-
Two or more honeypots make a honeynet. A honeynet is used for monitoring a large network in where a single honeypot may not be able to handle the goals expected from it.
To efficiently centralize a honeynet and the analysis tools, a honeyfarm is used.
Honeypots are systems used to gather information about the activity of attackers or intruders to a system. It acts like a trap to detect how a user approaches/intercepts a system, how they behave once intercepted and stores these data into its database (here the database means a storage area, not a collection of data records).
 |
| A honeypot placed within the DMZ |
What makes a honeypot?
Building a honeypot requires a PC with more preferably a UNIX based operating system and a sniffer tool. (A sniffer tool provides the capability of seeing the traffic going between the firewall and the honeypot)
Where can honeypots be placed?
Honeypots can be placed anywhere in the system. They may be placed outside the DMZ, inside the DMZ or even on the internal network.
Honeypots are additional security system. Honeypots differ from firewalls in that honeypots do not filter the traffic passing them and honeypots differ from intrusion detection systems (IDSs) in that honeypots are not 'alarm-borne' devices to predetermined threats.
Honeypots are used only for collection of abnormal behavior of an individual and to record the behavior if matched with the general behavior of a predetermined attacker.
The actual placement of a honeypot may vary depending on the requirement or the service expected from them. For number of reasons many companies use many honeypots (within the internal network, outside the DMZ or within the DMZ).
The placement of a honeypot, as in the case of firewalls and IDSs, is important. For example, a honeypot that is established within a DMZ would not record the abnormal behavior of an individual/traffic directed towards a network) before the traffic reaches the DMZ. Therefore, the malicious behavior of an attacker attempting to attack a DMZ cannot be recorded.
On the other hand, if honeypots are placed outside the DMZ (both before the DMZ and within the internal network), the behavior of an attacker before a DMZ and within the internal network could be recorded.
What are the goals behind setting up a honeypot?
Any honeypot (regardless of its position within a network) is expected to provide two main goals:
1. To record and learn how an intruder/attacker may penetrate a system.
2. Gather forensic information for the prosecution of intruders.
Honeynets-
Two or more honeypots make a honeynet. A honeynet is used for monitoring a large network in where a single honeypot may not be able to handle the goals expected from it.
To efficiently centralize a honeynet and the analysis tools, a honeyfarm is used.
Comments
Post a Comment