Honeypots are an information system resource whose value lies in the unauthorized or illicit use of that resources.
In other words, “A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, these are used to learn about an intruder’s techniques as well as determine vulnerabilities in the real system.”Before proceeding further, the first thing is to understand what the actual honeypots are. To be very frank, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is what honeypots have their strong stand.
The basic consideration is that honeypots record all actions and interactions with users. Since these don’t provide any legitimate services, all activity is unauthorized (and possibly malicious).
Honeypots are a wide stream and can be classified based on their deployment and based on their level of involvement.
Based on deployment, honeypots may be classified as:
These are easy to use, capture only limited information, and are used primarily by companies or corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do.
They are run to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not add direct value to a specific organization, instead, they are used to research the threats organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information and are used primarily by research, military, or government organizations.
Based on design criteria, honeypots can be classified as
It simulates only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the security of the virtual systems.
Low-interaction honeypots present the hacker emulated services with a limited subset of the functionality they would expect from a server, with the intent of detecting sources of unauthorized activity. For example, the HTTP service on low-interaction honeypots would only support the commands needed to identify that a known exploit is being attempted. Some authors classify a third category, medium-interaction honeypots, as providing expanded interaction from low-interaction honeypots but less than high-interaction systems
It might more fully implement the HTTP protocol to emulate a well-known vendor’s implementation, such as Apache. However, there are no implementations of medium-interaction honeypots and for the purposes of this paper, the definition of low-interaction honeypots captures the functionality of medium-interaction honeypots in that they only provide a partial implementation of services and do not allow typical, full interaction with the system as high-interaction honeypots.
They imitate the activities of the real systems that host a variety of services. It let the hacker interact with the system as they would any regular operating system, with the goal of capturing the maximum amount of information on the attacker’s techniques. Any command or application an end-user would expect to be installed is available and generally, there is little to no restriction placed on what the hacker can do once he/she comprises the system. According to recent researches in high interaction honeypot technology, by employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. Although high interaction honeypots provide more security by being difficult to detect, it has the main drawback that it is costly to maintain. If virtual machines are not available, one honeypot must be maintained for each physical computer, which can also lead to an increase in cost. Example: Honeynet.
Summarized difference between Low-interaction honeypots and High-interaction honeypots
Low-interaction | High-interaction |
|
|
Advantages of honeypots
They provide several advantages over other security solutions, including network intrusion detection systems:
Disadvantages of honeypots:
Every technology that we use may have a wide range of advantages, but they also have their disadvantages. They also have their weaknesses as given:
FreshBooks is a very popular cloud-based accounting software. Freshbooks accounting software is used by all…
Blogging is not an easy job. As a blogger, you not only need to write…
Are you looking for A2 Hosting Coupon Codes ? Well, you have come to the…
If you’ve got a stash of unused gift cards lying around, you might be wondering…
There's no denying it. At the point when social media works, it can change your…
The USP DropGenius offers is the power to be able to launch a profitable dropshipping…
View Comments
Which are some open source honeypots?