Network Security Using Honey Pots

Nandhini S(7845520176),Priya Dharshini M

Bannari Amman Institute of Technology
Department Of Computer Science and Engineering-3rd year
Sathyamangalam-638-401(Erode-DT)
E-mail: myntaanandhu@gmail.com

ABSTRACT
A honeypot is used in the area of computer vulnerabilities is to install and monitor computer
and Internet security. It is a resource which is systems on a network that we expect to be broken into.
intended to be attackedand compromised to gain Every attempt to contact these systems via the network
more information aboutthe attacker and the used is suspect. We call such a system a honey pot. If a honey
tools. It can also be deployedto attract and divert an pot is compromised, we study the vulnerability that was
attacker from their real targets.One goal of this paper used to compromise it. A honey pot may run any
is to show the possibilities of honeypotsand their use operating system and any number of services. The
in a research as well as productiveenvironment. configured services determine the vectors an adversary
may choose to compromise the system.Due to the
A honey pot is a security resource whose value lies in
increasing level of malicious activity seen on today's
being probed, attacked, or compromised. Honey pots are
Internet, organizations are beginning to deploy
different in that they aren't limited to solving a single,
mechanisms for detecting and responding to new attacks
specific problem. Instead, honey pots are a highly
or suspicious activity, called Intrusion Prevention
flexible tool that can be applied to a variety of different
Systems (IPS). Since current IPS's use rule-based
situations. The purpose of honey pots is to provide
intrusion detection systems (IDS) such as Snort todetect
security from intruders by deceiving and trapping them
attacks, they are limited to protecting, for the most part,
through honey pots and develop alert detection
against already known attacks. As a result, new
system.The honey pots are located behind the firewall.
detection mechanisms are being developed for use in
These are the virtual ports and environment acting as
more powerful reactive-defense systems.
real ones in the network. As the intruder assumes it to be
Honey pots are any security resource whose value lies in
vulnerability in the system and carries out all his
being probed, attacked, or compromised. They can be
activates which are in fact being scanned and observed
real operating systems or virtual environments
by the security administrators and following necessary
mimicking production systems. Honey pots are often the
actions can be taken like depending on the threat posed
best computer security-defense tool for the job. They
by the intruder.
can be used as an adjunct tool and to log and prevent
Keywords: Honey pot, firewall,
hacking.This paper presents the implementation of a
honey pot. This is a middle-involved honey pot. The
1. Introduction
value of honey pots and the problems they help solve
depend on how you build, deploy, and use them.
Intrusion detection is needed in today’s environment
2. Honey pot
because it is impossible to keep pace with current and
Honey pot is a closely monitored computing
potential threats and vulnerabilities in it system.If you
resource that we intend to be probed, attacked, or
have a system or network connected to the Internet, you
compromised. the value of a honey pot is determined by
become a target Mostly hackers try to enter our network
the information that we can obtain from it. Monitoring
by first port scanning our network to determine their
the data that enters and leaves a honey pot lets us gather
way of entering into the network through the ports that
information that is not available to NIDS. Because a
are open. For this the hackers use various techniques so
honey pot has no production value, any attempt to
that it may not be caught by the firewall other security
contact it is suspicious.Honey pots can run any
systems. In such case the application of firewall and
operating system and any number of services. The
other security Systems fails.Internet security is
configured services determine the vectors available to
increasing in importance as more and more business is
an adversary for compromising or probing the system. A
conducted there. Yet, despite decades of research and
high-interaction honey pot simulates all aspects of an
experience, we are still unable to make secure computer
operating system. A low-interaction honey pots
systems. As a result,exploitation of newly discovered
simulates only some parts, for example the network
vulnerabilities often catches us by surprise. Exploit
stack. A high-interaction honey pot can be compromised
automation and massive global scanning for
completely, allowing an adversary to gain full access to
vulnerabilities enable adversaries to compromise
the system and use it to launch further network attacks.
computer systems shortly after vulnerabilities become
In contrast, lowinteraction honey pots simulate only
known.One way to get early warnings of new
services that cannot be exploited to get complete access
to the honey pot.Low-interaction honey pots are more
limited, but they are useful to gather information at a A honey pot can be placed anywhere a server could
higher level, e.g.,learn about network probes or worm be placed. But certainly, some places are better for
activity. They can also be used to analyze spammers or certain approaches as others. A honey pot can be
for active countermeasures against worms.Honey pots used on the Internet as well as the intranet, based on
are closely monitored decoys that are employed in a the needed service. Placing a honey pot on the
network to study the trail of hackers andto alert network
intranet can be useful if the detection of some bad
administrators of a possible intrusion. Using honey pots
guys inside a private network is wished. It is
provides a cost-effective solution to increase the
security posture of an organization. Even though it is not
especially important to set the internal thrust for a
a panacea for security breaches, it is useful as a tool for honey potas low as possible as this system could be
network forensics and intrusion detection. Nowadays, compromised, probably without immediate
they are also being extensively used by the research knowledge. If the main concern is the Internet, a
community to study issues in network security, such as honey pot can be placed at two locations:
Internet worms, spam control, Do’s attacks, etcHoney  In front of the firewall (Internet)
pots are not “install and forget it” systems. There are  DMZ
several steps you can take to minimize the legal risks  Behind the firewall (intranet)
from using a honey pot. The system of honey pots is
located behind the firewall. These are the virtual ports Each approach has its advantages as well as
and environment acting as real ones in the network. As disadvantages. Sometimes it is even impossible to
the intruder assumes it to be vulnerability in the system, choose freely as placing a server in front of a firewall
he carries out all his activities which are in fact are is simply not possible or not wished.
being scanned and observed by the security 3.. Implementation of Honey Pots:
administrators. Then necessary actions can be taken like Step 1: The admin logs into the Honey pot/Network
depending on the threat posed by the intruder. though the GUI.

The architecture of our honey pot consists of a packet

capture, a database for maintaining logs, a GUI for
Configuration of the firewall and configuration of the Step 2: Configuration of Daemons
daemons and viewing thongs. The admin configures the daemons to open ports. These
ports are considered as the vulnerabilities by the hacker
Honey pot location: and get lured to them. When the intruder port scans our
network, he finds the ports open and tries to connect to
A honey pot does not need a certain surrounding it.
environment as it is a standard server with no special Step 3: The admin configures the firewall to allow the
intruder by allowing his IP address. The admin then
needs.
sends the IP address to the Blacklist log. The incoming
packets from that IP address are monitored.

The daemon status or error logs can also be viewed.

This log contains all the information about the daemons
thatare currently running as well as the daemons which
When the intruder port scans our network, he finds the could not be started and those daemons which were
ports open and tries to connect to it. stoppedearlier.
Step 3: The admin configures the firewall to allow the
intruder by allowing his IP address. The admin then
ends the IP address to the Blacklist log. The incoming The traffic that is to be allowed by the firewall can be
packets from that IP address are monitored. configured by this tool.

Similarly, to drop IP packets the configuration of the

firewall can be achieved in this tool

Step 4: If the intruder is found to be doing some

malicious activity, that IP address is blocked by
configuring the
firewall to deny the incoming and outgoing packets
from and to that IP address.
Currently Blacklisted IP addresses can be viewed as the
logs are maintained in the database.
The firewall black listed entries can also be seen.
 Using Microsoft Windows for Honey Pots:
One could think that the large amount of observed
attacks on systems running Microsoft Windows8
operating systems makes them ideal for a honey pot
(and especially for data gathering), but unfortunately
The firewall Blacklist entries can also be viewed. These the structure of these operating systems makes data
are required to see what IP addresses are blacklisted and gathering (at least host based) rather difficult. Until
what are needed to be blocked. today the source code of the Windows operating
systems is not freely available, which means that
The honey pot daemon can be started, stopped, changes to the operating system are very hard (if not
configured as well as restarted. The next screen shows impossible) to achieve. The modifications can
the stopping of the daemon. therefore not be made in a transparent way, logging
functionality must be integrated into user space
programs which are visible to the attackers. The
integration of data gathering mechanisms into
loadable kernel drivers could possibly be a better
solution. Logging the list of running processes,
periodically watching the event log and checking the
integrity of the system files by using MD-59 sums
seems to be the only relevant amongst the possible
actions of a honey pot administrator
Using Unix Operating System for Honey Pots:
UNIX derivated operating systems offer interesting
opportunities for deploying data gathering
mechanisms to the kernel during run-time. This can
be a dangerous feature, since it allows an attacker to
add specialcountermeasures directly into the kernel,
The attack log needs to be cleared. This helps in saving e.g. a facility to hide installed files (or processes) by
the disk space and viewing the next logs faster. the attacker from other users.
Goal of Honey Pots:
A goal of every honey pot is getting compromised.
As soon as an attacker has invaded a system he can
begin using the system for his own purposes. The
actions which the attacker will take are unpredictable.
Protecting third parties as well as own resources must
be of high priority. Protecting own resources is
normally easier to achieve, as it can be influenced by
the placement of the honey potitself. By having this
system running on a non trusted network segment,
the impact can be reduced.Protecting third parties can
be moredifficultbecause a honeypot needs to interact
with the global network to beattractive and to return their deployed tools. No other mechanism is
some useful information. This fact alone should not comparable in the efficiency of a honeypot if
lead to a totally open honeypot, as such a resource gathering information is a primary goal, especially if
will be a powerful weapon in the hands of the black the tools an attacker uses are of interest. But
hat community. Denying all outgoing traffic is also nevertheless, honey pots cannot beconsidered as a
not a way to go as such a setup would not be of much standard product with a fixed place in every security
interest for an attacker. Finding a good balance aware environment as firewalls or intrusion detection
between these two extremes is difficult to systems are today. Installing and running a honey pot
achieve.The obvious solution to manage outbound is not just a matter of”buy and go”. The involvedrisk
connections is to use a firewall (packet filter). This and need for tight supervision as well as time
makes it possible to set certain limits for outbound intensive analysis makes them difficult to use. Honey
connections. pots are in their infancy and new ideas and
 Allow only a certain amount of IP packets in technologies will surface in the next time. At the
a given time interval same time as honey pots are getting more advanced,
 Allow only limited amount of TCP SYN hackers will also develop methods to detect such
packets in a given time interval systems. A regular armsrace could start between the
 Allow only limited simultaneous TCP good guys and the black hat community.
connections 5. References
 Drop outgoing IP packets randomly
Implementing such firewall rules makes it possible to [1] Lance Spitzner, Honey pots: Tracking Hackers, Pearson
allow outbound traffic and at the same time to reduce Education, 2007
[2] Honey net Project Papers, Know Your Enemy,
the usefulness of the system for DoS attacks. It is also
www.honeynet.org, 2008
thinkable to deny outbound traffic to certain [3] Google search, www.google.com
destinationPorts. Another approach is to deploy an [4] www.blackhat.com/presentations
IDS based packet filtering software that makes it [5] www.honey pots.net
possible to drop packets which match specified
signatures. The Hogwash packet filter is an
implementation of this concept, although it is
normally used to filter inbound which could arise is
the loss of attractiveness of the honey pot. An
attacker will not be able to successfully launch any
well known attacks against third parties, which could
affect his behavior significantly.
4. Conclusion
One important reason that the security community has
been cautious regarding honey pots is that there has
never been an agreed-upon definition of honey pots.
Often when people or organizations discussed honey
pots,they had different definitions or understandings of
what honey pots do and how they operate. Some
consider them a device to lure and deceive attackers,
while others argue they are technologies designed to
detect attacks.There was no cohesive definition of honey
pots or appreciation of their value. It's difficult for
organizations to adopt a technology when they don't
even understand what it is.Misunderstandings about
honey pots have resulted in a vicious cycle. Few
organizations trust or understandthe technology, so few
deploy them. Since few deploy them, there is little
experience or trust concerning thetechnologies. More
and more organizations are recognizing thevalue of
honey pots. This is resulting in more widespread use of
honey pots within organizations. With thiswidespread
use, honey pots have a growing and exciting future
ahead of them.A honeypot is a valuable resource,
especially to collect information about proceedings of
attackers as well as