TEAM PETTIS

INTRUSION DETECTION AND PREVENTION SYSTEMS AND HONEYPOTS

Prepared for

Professor Leeds

Kennesaw State University

Prepared by

Wendy Ferguson, Formal Report Coordinator

Robert Gaston, Digital Video Presentation Coordinators

Brian Johnson, Research Coordinator

Alpesh Patel, Web Master

Warren Pettis, Project Manager

November 23, 2005

Letter of Authorization

BISM 2100 Students,

The purpose of this assignment is to expose students to emerging technologies and to create an opportunity for students to utilize their professional written business communication skills. This formal report will be coordinated with a digital video presentation and an interactive web page to provide a bundled resource on this semester’s project.

You are being asked to perform a detailed analysis of a product/concept in the area of information security. This semester that project will involve Honeypot Technologies

At a minimum, your report should include information related to the following:

Introduction to Intrusion Detection and Prevention Systems – What are they? What are they supposed to do? Who are they intended for? What specific technologies are generally considered to be part of these systems? This is a basic information section and provides information related to the journalistic questions.
Introduction to Honeypots – What are they? What problem are they trying to solve? Who are they intended for? How successful have they been?
Operationalizing Honeypots - What are they supposed to do? How do they work?
Issues related to Honeypot implementation – What is involved in installing a honeypot? Can anybody do it? What is available for the home user, small business user, and for corporate America?
Specific issues related to risk – Do Honeypots invite trouble? What do users need to know about placement decisions? Entrapment? Roaming Honeypots? Honeynets?
A conclusion summarizing the main points of the paper. Suggestions for future research and investigation.

The information contained in your report and presentation will be used as a training tool for Information Technology Students and Staff. You will therefore want to present a carefully researched, thoughtfully written, and comprehensive formal report.

Use both commercial and academic resources (Minimum of 15 references – 20 needed for full credit). Where appropriate, you should incorporate charts, graphs, or other visual aids to illustrate the facts you present both in your report. This report will be submitted to turnitin.com – anti plagiarism detection software – please ensure that you cite your resources appropriately, use quotations and page number references for quotes and internal citations (Author, Date) for paraphrased content.

Written Report:

Your managerial report must be submitted through WEBCT. (Each student must submit a copy of his or her team’s output through WebCT). Employ all facets of effective business writing and refer back to your text (Chapter 9, Completing Formal Business Reports - pages 1453 – 1466) for the Formal Report Structure.

Background

Until recently, information security was recognized as a purely defensive discipline. Firewalls, Intrusion Detection Systems (IDS), and encryption mechanisms were aimed at protecting valuable information resources and defending systems against security breeches (Honeypot Project). Information Security Plans were focused primarily on system inspection, proactive risk reduction (protection), reactive risk reduction (detection), response, and reflection (Pipkin, 2000, p. 17). The result of this focus has been a plethora of “reactive event information that is of little value in locating attacks in progress” (Radcliff, 2004, p. 44). Intrusion Detection Systems, powerful analytical tools, provide an inventory of forensics that bog down security system administrators while the time gap between vulnerabilities and exploits is shrinking. A movement is being recognized to transform Intrusion Detection Systems into Intrusion Prevention Systems (IPS), as part of a greater framework of Security Information Management (SIM). In the short-term, “prevention systems likely will replace detection systems at the perimeter, but they err on the side of giving too little event information” (Person, as cited in Radcliff, 2004, p. 45). As organizations move toward a SIM framework, IPS will be augmented with a SIM console that accepts information from alternative devices. One of these devices that have proven to be effective in gathering information, while simultaneously stopping active intrusion, is the honeypot.

Honeypots are “physical or virtual machines that are deployed to trap hackers” (Khattab, S., Sangpachatanurak, C., Mosse, D., Melhem, R., & Znati, T., 2004, p. 336). Their rather endearing name is based on the age old adage that you attract more flies with honey than with vinegar. But the sweetness of the name belies their ability to aid in the establishment of a sound information security framework. Honeypots are part of a group of deceptive technologies whose value lies in their ability to be “probed, attacked or compromised” (Spitzner, 2002, ¶ 3). Fundamentally, it is a resource without any justified interaction or real production value. “There’s no legitimate reason for anyone outside the network to interact with a honeypot. Thus, any attempt to communicate with the system is most likely a probe, scan, or attack” (Spitzner, 2003, p 49). Any traffic recognized by the honeypot is illegitimate traffic. If the honeypot attempts to communicate, or initiates any outbound connection, it is a safe assumption that the system has already been compromised. Honeypots collect as much information as possible about an attack, while simultaneously preventing the attacker from leaving the secured area and accessing authentic information (Yusuff, M. N.). They use deceit as a primary defensive and offensive mechanism by creating an attractive hazard. They do not replace security mechanisms, but work in conjunction with existing security mechanisms to enhance protection, detection, and response.

References

Khattab, S.M.; Sangpachatanaruk, C.; Mosse, D.; Melhem, R.; Znati, T. Roaming honeypots for mitigating service-level denial-of-service attacks. 24th International Conference on Distributed Computing Systems, 2004. Proceedings. 1063-6927/04. Pages: 328 - 337

Pipkin, D. L. (2000). Information Security: Protecting the Global Enterprise. Prentice Hall PTR, Upper Saddle River, NJ

Radcliff, D. (2004). Drowning in signature libraries., Network World (Vol. 21, pp. 44-46): Network World.

Spitzner, Lance. June 6, 2002. Honeypots: Definitions and Value of Honeypots

http://www.infosecwriters.com/texts.php?op=display&id=33

Spitzner, L. (2003). Honeypots: Sticking It to Hackers., Network Magazine (Vol. 18, pp. 48): CMP Media LLC.

Yusuff, M. N. Honeypots Revealed. Retrieved April 27, 2005 from http://www.infosecwriters.com/text_resources/pdf/Honeypots.pdf

Criteria:

A comprehensive formal report employing the 7 C’s of business writing	30 points
Thorough research of sources – academic and commercial	10 points
Attributions and Citations done properly	10 points
Operating Agreement included AFTER the Letter of Transmittal	10 points
Detailed analysis covering requirements stated above	30 points
Well developed recommendations	10 points

Elke M Leeds

Professor, BISM 2100

1000 Chastain Road • Kennesaw, Georgia • 30144

Phone: 770-423-6584 • Fax: 770-423-6601

LETTER OF TRANSMITTAL

TO: Professor Leeds

FROM: Brian Johnson, Research Manager

DATE: November 25, 2005

SUBJECT: Honeypot Technologies

Below is the report that you have requested from us. This is the basic information section of the report and will cover all the topics you will need to learn about Intrusion Detection and Prevention Systems. It will also answer any question that you might have had prior to reading this report.

Introduction to Intrusion Detection and Prevention Systems- What are they? What are they supposed to do? Who are they intended for? What specific technologies are generally considered to be part of these systems?

Introduction to Honeypots – What are they? What problem are they trying to solve? Who are they intended for? How successful have they been?

Operational Honeypots - What are they supposed to do? How do they work?

Issues related to Honeypot implementation. What is involved in installing a honeypot? Can anybody do it? What is available for the home user, small business user, and for corporate America?

Specific issues related to risk – Do Honeypots invite trouble? What do users need to know about placement decisions? Entrapment? Roaming Honeypots? Honeynets?

Our team split up all the work into sections and we each focused on one main point. Then, we all came together as a group and put all the information that we had found together. This method helped us all in understanding the main points and made it easier to develop this report.

TEAM OPPERATING AGREEMENT

Mission Statement

To complete each project in a timely and professional manner utilizing the principles taught in each unit of B.I.S.M. course by communicating thoughts, ideas, and expectations by expressing them to the team.

Team Objective

The overall objective of the team is to be able to cooperate with each other in a formal business structure in order to create an informative and well distinguished project and presentation.

Purpose

The purpose of this project is to try to develop a new way for students to be introduced to new technology and to be able to produce a befalling for other students to exercise their experienced in written business communication skills. The technology being introduced is the honeypot. Honeypots are a new type of security system set up for protection against hackers. The team is to gather as much information on honeypots, so, the team can be able to give a detailed project on the software.

Structure of the Team

No team member is more important than the other. Although, the project manager is the team leader, his ideas and opinion is still equal to every other member of the group. There will not be any conduct tolerated that will be detrimental to the team. If there is conflict between two people, the project manager will assume the role as mediator.

The structure of the group will be a checks and balances system. Each member will do their part and make sure others are doing their part. If there is a conflict of ideas, the group will vote by consensus onto which idea is to be chosen. If a group member is not present at the time voting takes place, the individual will be notified via e-mail and expected to respond immediately. The team leader is to assume responsibility for any misfortune of the group, thus, forcing him to be more concerned and cautious with each individual on the team. The structure of this team is very important, without structure it would be anarchy. Remember, each member carries an important role on the team.

Preparation and Performance

Each member of the group is expected to perform at their highest potential. No group member will sit back and do nothing, while other members are working diligently. Quality in our team is defined as, turning assignments in on time, discussing different ideas with group members, and performing above average. At least, two days before any assignment is to be turned in, the group as a whole will overlook each assignment. This will allow us to make time for corrections. Before each discussion every team member should be fully prepared to express ideas, ready to work hard, and help other team members. By being fully prepared before each activity, the level of quality of project will be raised dramatically. Raising the level of quality will make our project a very successful one.

Meeting and Attendance Polices

Each member of the team is expected to make every meeting. The team should also understand that emergencies or certain events can occur that may cause an individual to miss a meeting. If the individual is going to miss a meeting, that person must let the project manager know 24 hours in advance. It is the project manager's responsibility to take notice if an individual chooses not to attend a meeting. If a person fails to do so, that individual will lose points and it will be logged into the attendance book. The regular meeting schedule will go as followed, every Tuesday and Thursday after B.I.S.M. We may have to meet on day outside of that schedule, but a notice will be sent at least four days in advance. Each member needs to make it to every meeting, because we are stronger with more, than less.

Schedualed Meetins

11/10/05 12:15 p.m.

11/15/05 12:15 p.m.

11/22/05 12:15 p.m.

11/29/05 12:15 p.m.

11/31/05 12:15 p.m.

12/1/05 12:15 p.m.

12/2/05 12:15 p.m.

Please remember there is a great possibility we will meet on days not listed above. The project manager will inform four days in advance of that time.

Scheduled Due Dates

Assignments for this group are turned to be completed before the registered due dates on Web CT, this will give us time to make any corrections needed.

1st Team Evaluation due by Nov. 10th

2nd Team Evaluation due by Nov. 17th

System Analysis and Peer Evaluation due by Nov. 22nd

Web Page due by Nov. 22nd

Filmed Presentation due by Nov. 31st

3rd Team Evaluation due by Dec. 1st

I agree to the terms and plan to abide by the rules of the contract.

Signature X

TABLE OF CONTENTS

Page

INTRUSION DETECTION AND PREVENTION SYSTEMS………………........................13

HONEYPOTS…………………………………………………………………........................13

OPERATIONALIZING HONEYPOTS………………………………………………………14

HONEYPOT IMPLEMENTATION.………………………………….………………………14

ISSUES RELATED TO RISK..……………………………………………………………….15

CONCLUSION AND FUTURE RECOMMENDATION…………………………………….15

WORKS CITED………………………………………………………………………………..16

LIST OF ILLUSTRATIONS

Figures

1. CHART COMPARING HONEYPOTS.…………………………………………….....14

SYNOPSIS

This report researches and analyzes the purpose, properties, and risks associated with honeypot technology systems. Honeypots are an increasing popular form of intrusion detection and prevention systems. The amount of detail a honeypot has determines its accessibility, difficulty to manage and operate, and effectiveness. There are many different categories for these types of systems; one to fit the specifications for different users.

Honeypots are fit into two divisions: production honeypots and research honeypots. Production honeypots are low involvement and tend to be used by small business owners and corporations. Research honeypots are much more complex and harder to manage. Mostly research, military and government organizations have the experience to manage these systems.

Although honeypots seem to have many advantages, there are several disadvantages. A hacker and actually break into the honeypot and use the anti hacker program to actually backfire and exploit the private files and data systems. There are legal issues such entrapment that also concern intrusion detection systems and their users. Entrapment is enticing the hacker to break into the network.

Identity theft, hackers, and other intrusions on computer systems are a fear of many computer users. People want a technology that will track and prevent these unwanted advances on confidential material. Thus, intrusion detection and prevention programs were created. Intrusion Detection is the concept of detecting inappropriate, incorrect, or abnormal activity on a computer. An Intrusion Detection System (IDS) can be used to determine if a computer network or server has experienced a break in. IDS is much like the security system installed in houses today; in case of an intrusion, the IDS will issue an alert to an operator who will then tag the events of interest for further investigation by the Incident Handling team. After the initial response to the unauthorized tampering, there will be an investigation by the Computer Forensics. This will lead to a prosecution.

There are two general types of Intrusion Detection Systems: the Host Based Intrusion Detection Systems (HIDS) and the Network Based Intrusion Detection Systems (NIDS). Both systems are generally used by corporations and business that possess confidential files. The HIDS operate on a host to detect malicious activity while the NIDS is used to operate on network data flows. Although both systems operate efficiently, a new type of Intrusion Detection System is becoming more and more popular; this admired technology is called the Intrusion Prevention System, or IPS. This is a system that actively monitors a network or host for attacks and prevents those attacks from occurring.

An issue that is often overlooked when considering intrusion detection is management. Management involves securely running the system itself. This is done by reporting problems back to the system. This report enables the proper feedback to be detected and the events of that program to be seen.

Most people do not realize the potential of security for their network. Several corporations and small businesses have introduced a concept called Honeypot into their information technology department. A honeypot is a term used to describe a cyber surveillance system. The tool is set up as a trap to monitor activity from unauthorized users on a system. This is done by applying the same principles as a normal network server. A Honeypot generally consists of a computer, data, or a network site that appears to be part of a network but is actually isolated and protected. It seems to contain information that would be of value to attackers (Wikipedia, 2005).

Honeypot Technologies are monitored very closely and serve several purposes. They are used to help distract potential threats to systems and networks while providing valuable information on how attackers penetrate through these systems. Honeypots help provide early warning of attacks, tactics and movement of intruders, and valuable research information for large industries.

A Honeypot can be broken down to having a simulated network on a system that has been designated through the use of the computers ports. The intruder that has broken into the system assumes that they have entered a vital and vulnerable area. They are often unaware that they are being watched and tracked. Honeypots can be used to help keep track of the access attempts and keystrokes of the attacker. This allows us to prepare and avoid future attacks on real systems.

A honeypot is supposed to perform three basic functions: prevention, detection, and reaction to intruders. The purpose of a honeypot is to be a temporary decoy to intruders until information is gathered on them. However, all Honeypots share one huge disadvantage. “They are worthless if no one attacks them” (Infosec, 2004). Similar to hunting, a decoy is only useful if the prey uses it. A decoy is useful because it lets us know who is using it, how they are using it, and whether or not the decoy is effective. Another draw back of decoys is that the more elaborate it is, the bigger the chance that something happens; each minute a hacker mingles, more information can be gathered about his identity and intentions. The ample time given to the attacker can be damaging as well. The more time given, the more information he has gathered. Just like everything else in life, the more intricately a product is made, the higher the chance of failure. However, if successful, the reward is much more satisfying.

A Honeypot is an information system resource whose value lies in unauthorized or illicit use of the resource (Spitzner, 2002). Honeypots have a vast range of uses from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud (Spitzner, 2005). Honeypots can be broken down into low-interaction and high-interaction categories. Low-interaction Honeypots emulate “services and operating systems,” a low risk honeypot. It is limited in the allowance of information an attacker has to exploit. High-interaction Honeypots are elaborate networks that are bait for attackers. Upon the network being attacked, without the attacker knowing all of their activity past and future is captured. These are high risk Honeypots and are complex to install and run.

Honeypot implementations can be categorized by their level of involvement. A low involvement honeypot is easier to install but does not gather as much information as a honeypot that has a higher involvement. It does not give an actual system for an attacker to exploit (Evan). High involvement honeypots give an actual system that is able to be interacted with. The difficulty of installing a honeypot depends on the level of involvement. It is recommended to become familiar with honeypots by using a low interaction honeypot before trying to use a high interaction one. Below is a chart summarizing the differences in capability and installation of the two types of honeypots (Trackinghackers, 2003).

There are many different types of honeypots such as Spector and Honeynets. With the vast variety of low and high involvement honeypots, there is one to suit the needs of everyone. Another classification similar to high and low involvement honeypots, is production and research honeypots. Production honeypots capture only specific information about the hacker. This honeypot is intended for small business and corporations. Research honeypots are very hard to use and maintain. These are used for research, military, and government organizations.

Honeypots do not necessarily invite trouble if they are used and monitored correctly; however, they do posses the risk of being taken over by the intruder and being used to harm other systems. The low interaction honeypot has minimal risk, while the high interaction honeypot has a higher risk rate. Interaction is classified by the level of activity allowed by the honeypot. There are several risks related to honeypot technologies.

One type of risk is entrapment. Entrapment is a legal issue that surrounds the software of the honeypot. If a person uses the honeypot to entice someone into engaging in their honeypot it would be considered entrapment. A honeypot is not designed to induce or persuade hackers to enter their systems. Most likely, hackers will attack honeypots on their own. Enticing someone to brake into their sever seems unorthodox to many people and is looked badly upon.

Placement of the honeypot is also very crucial to its functioning. If a honeypot is located where personal files are stored, there is a risk that someone could break in and have access to private files. A honeypot should be stored where the information surrounding it is not vital to the computer user.

A honeynet is a system that tracks the attacks and actions of an intruder. The honeynet then uses the information and patterns it has recorded to strengthen its protection system. This works like the immune system. With each virus or disease one get, the body leans to fight it off the next time. Same with a honeynet; when the system is attacked, it becomes prepared for the next similar attack.

One type of honeypot actual moves to different locations as a hacker is trying to brake into the system. This honeypot seems to minimize the risks of braking into the system.

Intrusion detection, prevention systems, and honeypots are an increasingly popular technology to prevent intrusions to private systems. With the vast variety of IDP, IPS, and honeypot technologies, there is an anti-hacker program to satisfy the level of involvement for every home, small business, large corporation, and even military and government organizations. With the realization that these programs can backfire if used and managed inappropriately, computer users are cautious about managing their programs and tracking intruders. For future research in understanding honeypot technologies, an interview with someone more experienced in the field would provide experienced answers to many questions regarding honeypots. Experience helps a great deal in research and understanding; installing a low involvement honeypot will give experience that can not be found in periodicals and websites. A better understanding of intrusion detection and prevention system allows computer users to project their system.

Cuff, A. (2004). Network Intrusion Prevention System. Computer Network Defense Ltd.

Curran, K., Morrisey, C., Fagan, C., Murphy, C., O'Donnell, B., Fitzpatrick, G., Condit, S. (2004). Retrieved November 5, 2005.

Dragon IDS. IDS. Retrieved November 15, 2005 from http://www.intrusion-detection-system-group.co.uk/.

Elinwechter, N. (2002, August). Introduction to intrusion detection systems. Retrieved November 9, 2005 from securityfocus.com/infocus/1532.

Evan, L., R. (2005). Intrusion detection: What is a honeypot?. Retrieved November 6, 2005 from http://www.sans.org/resources/idfaq/honeypots.php.

Holland, T. (2004). Understanding IDS and IPS: Using IPS and IDS together for Defense in

Depth. Retrieved November 13, 2005 from http://www.sans.org/rr/whitepapers/detection/1381.php.

Honeypot. (2005). Webopedia online encyclopedia. Retrieved November 8, 2005 from http://www.webopedia.com.

Honeypot. (2005). Wikipedia online encyclopedia. Retrieved November 8, 2005 from http://www.wikipedia.org/wiki/honeypot.

Honeypots: Definition and Value of Honeypots. Retrieved November 10, 2003 from www.trackinghackers.com.

Infosec Writers. The Hitchhiker’s Work. Retried September 16, 2004 from http://www.infosecwriters.com/texts.php?op=display&id=33.

Innella, P. (2001). An introduction to intrusion detection systems. Retrieved November 9, 2005 from http://www.securityfocus/infocus/1520.

Intrusion Detection Honeypots Incident Handling Resources. Retrieved November 9, 2005 from http://www.honeypots.net.

Noordin, M. (2004). Honeypots revealed. Retrieved November 6, 2005 from http://www.securitydocs.com/library/2692#email.

Pipkin, D. L. (2004). Information security: protecting the global enterprise. Prentice hall PTR: Upper Saddle River, NJ.

Rozenblum, D. (2001) Understanding Intrusion Detection Systems. Retrieved November 13, 2005 from http://www.sans.org/rr/whitepapers/detection/337.php.

Spitzner, L. (2002, June). Honeypots: Definitions and value of Honeypots. http://www.infosecwriters.com/texts.php?op=display&id=33.

Spitzner, L. (2005, November) Honeypots. www.tracking-hackers.com/papers/honeypots.html.

Spriggs, J. (2004). Honeypots: Covert network security. Retrieved November 13, 2005 from http://scholar.google.com.

Tipping-point. IDS. Retrieved November 16, 2005 from http://www.tippingpoint.com/getstarted_define.html.

Yusuff, M. N. Honeypots revealed. Retrieved April 27, 2005 from http://www.infosecwriters.com/text_resources/pdf/honeypots.pdf.

Low-interaction Solution emulates operating systems and services.	High-interaction No emulation, real operating systems and services are provided.
Easy to install and deploy. Usually requires simply installing and configuring software on a computer. Minimal risk, as the emulated services control what attackers can and cannot do. Captures limited amounts of information, mainly transactional data and some limited interaction.	Can capture far more information, including new tools, communications, or attacker keystrokes. Can be complex to install or deploy (commercial versions tend to be much simpler). Increased risk, as attackers are provided real operating systems to interact with