Understanding Use Of Honeypots In Network Security
In my previous articles , I have talked about some of the facts that you need to know about firewall implementation in firetwork security. in this article, I want to look at some of the facts that you need to know about use of Honeypots in network security. Follow me as we will look at that together in this article.
A Honeypot is a single machine set up to simulate a valuable server or an entire subnetwork. The concept is to make it so attractive that if a hacker breaches the network security, he or she would be attracted to the Honeypot, rather than to the original system.
The software can closely monitor anything that happens on that system. it will enable tracking and perhaps identification of the intruder.
The underlying premise of the Honeypot is that any traffic to that machine will be considered as suspicious. As the honeypot is not the real machine, no legitimate user should have reason to connect to it. Therefore anyone attempting to connect to that machine should be considered a potential intruder.
The Honeypot will actually entice the hacker and he will want to stay connected long enough in order to detect where he is coming from .
Use of Specter…
Specter is a Honeypot software solution . It comprises of a dedicated PC with Specter software running on it. The Specter software can emulate internet protocols and softwares such as HTTP, HTTPS, FTP, POP3, SMTP and others, thus appearing to be a fully functioning server.
The software has been designed to run on Windows 2000 and XP but it will also execute in later version of Windows. it can simulate AIX, Solaris , Unix, Linux, and MAC OS.
Specter works by appearing to run a number of services common to the one running on network servers. On addition to simulating Operating Systems, it can also simulate the following services:
- SMTP
- FTP
- TELNET
- FINGER
- POP3
- IMAP4
- HTTP
- SSH
- DNS
Even though Specter seem to be running these servers , it is actually monitoring all incoming traffics. because it is not a real server for your network , need legitimate user should be connecting to it. Specter log all traffic to the server for analysis . Users can set it up in one of five modes:
Open: In this mode, the system behaves like a badly configured server in terms of security. The downside of this mode is that you are likely to attract and catch the least skillful hackers.
Secure: In this mode, the system behaves more like a secured server.
Failing: What happens in this mode is quite interesting . The system begins to behave like a working software with various hardware and software problem . This might attract hackers because such problem is likely to open up vulnerabilities .
Strange: In this mode, the system behaves in an unpredictable way. This sort of behaviour can attract a more talented hacker and cause him to stay longer online trying to figure out what is happening. The longer the hacker stays , the better the chances of tracing him.
Aggressive: This mode is more aggressive as it tries to trace the intruder back to its origin and identify his identity. This mode is useful for tracking the suspected intruder.
In all modes, Specter log the activity , including all information it can derive from the incoming Packers . It may also attempt to leave traces on the attackers machine which can provide clear evidence to be used in legal proceedings.
Users can also configure a fake.password file in all modes. These are particularly useful because hackers will always try to access the system password files. If they are successful they can then log in as a legitimate user. The holy grail of hacking is getting the administrator’s password. There are five ways by which this fake can be configured.
Easy: In this mode, the passwords are very easy to crack, this will make the hackers to believe that he has found a legitimate username and password. Most times, hackers with legitimate logon will try to cover their track. Of you know that logon is fake and the system is setup to monitor it, you can track it back to the hacker.
Normal: This mode has slightly more difficult passwords than the easy mode.
Hard: This mode has even harder password to crack. There is even a harder version of this version called mean. In this case, the password is very hard to crack. This will make the hacker to stay longer on the site . This will allow you to trace the hacker back to his root and identify him.
Symantec Decoy Server
Because Symantec is such a prominent vendor for both antivirus software and firewall solution, it should come as no surprise that it also has Honeypot solution.
The first Symantec Honeypot solution , it should come as no no surprise that it also.has Honeypot solution. the first Symantec was Decoy server. It simulated real server by simulating many server functions such outgoing and incoming e-mail traffics.
As decoy servers works as Honeypots, it also works as an IDS monitoring the network for signs of intrusion . If an attack is detected, all traffic related to that attack is recorded for later use in whatever investigative , criminal or civil procedure that may arise.
Decoy server is determined to be a part of a suite of enterprise security solution that works together including enterprise version of Symantec antivirus software.