A Honeypot can be characterized as a closely monitored network decoy serving several purposes. Honeypots can be set up to run any type of operating system and any number of services. The value of a Honeypot is directly proportional to the amount and type of information we can successfully obtain from it. Aside from information gathering, a Honeypot has the capabilities of distracting adversaries from more valuable machines on a network, and can provide early warning signs about a new type of attack or exploitation trends, and allows in-depth examination of adversaries during or after exploitation of a host. Another function that a Honeypot allows is the capturing the keystrokes typed by an adversary attempting to compromise the Honeypot – this provides particularly interesting insight if an intruder uses the compromised host as an IRC chat server. Two levels of Honeypots are described as low interaction and high-interaction.
Their currently exist two types of Honeypots: a physical Honeypot which is a real machine with its own IP address, and a virtual Honeypot which is simulated by another machine that responds to network traffic. Physical Honeypots are often labeled as high-interaction because the system can be completely compromised and are resource expensive to install and maintain. For example - if you wanted to implement physical Honeypots for a certain range of IPs on your LAN you would have to build a separate instance of a Honeypot for each physical IP address. Virtual Honeypots are often labeled as low interaction because of the low implementation and maintenance costs. A virtual Honeypot can simulate multiple Operating Systems, services and a separate TCP/IP stack for each instance of a Honeypot on that one machine. Honeyd is an example of a virtual honeypot service; simulating the TCP/IP stack of multiple target operating systems in order to fool TCP/IP stack fingerprinting by tools like Nmap and Xprobe. Virtual Honeypots are used more often than physical Honeypots because they require fewer computer systems, which in turn reduces maintenance costs, and also allows for a greater variety of hosts to be deployed and observed.
Their currently exist two types of Honeypots: a physical Honeypot which is a real machine with its own IP address, and a virtual Honeypot which is simulated by another machine that responds to network traffic. Physical Honeypots are often labeled as high-interaction because the system can be completely compromised and are resource expensive to install and maintain. For example - if you wanted to implement physical Honeypots for a certain range of IPs on your LAN you would have to build a separate instance of a Honeypot for each physical IP address. Virtual Honeypots are often labeled as low interaction because of the low implementation and maintenance costs. A virtual Honeypot can simulate multiple Operating Systems, services and a separate TCP/IP stack for each instance of a Honeypot on that one machine. Honeyd is an example of a virtual honeypot service; simulating the TCP/IP stack of multiple target operating systems in order to fool TCP/IP stack fingerprinting by tools like Nmap and Xprobe. Virtual Honeypots are used more often than physical Honeypots because they require fewer computer systems, which in turn reduces maintenance costs, and also allows for a greater variety of hosts to be deployed and observed.
No comments:
Post a Comment