The Little Geeni

Network Security has become increasingly important as companies both large and small are attacked by cyber criminals.  This article will provide you information about network auditing and how you can use it to protect your business.  Whether you’re a business owner, an executive, or an IT manager, the following information will be beneficial to you.

An average network security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research.  By monitoring your network, you can significantly reduce operating expenses and improve overall company productivity.

Are you prepared to suffer those losses?  Could your business survive a network attack that could shut down your entire operation for several days?  A recent survey by McAfee revealed that 26% of businesses require an entire week to get their company back up and running smoothly after a cyber attack.  Can your business afford a 7-day vacation?  The loss of revenue, resources and productivity associated with an attack may just be enough to put your company in the red and in today’s economy, not many businesses can suffer any more losses.

Network auditing solutions work to help you prevent, detect and solve security threats 24/7 – around the clock, all year long.  They can:

– Detect and solve network security problems
– Help you leverage investments in security
– Free up time for IT staff
– Secure laptop computers outside the office
– Generate auditing reports on demand

To deal with network security threats effectively, IT administrators need immediate access to just the right data and problem-solving advice.  The more you know your network, the more you can guarantee uptime and optimal performance.  With network auditing solutions, you can defend and regain control of your applications, minimizing the loss of money and productivity.

Network auditing solutions can monitor every computer in your network, looking for malware and threats, missing critical updates and patches, suspicious traffic and non-compliance with best practices. The instant it detects a problem, it gives you personal, step-by-step advice on how to solve it.
Network auditing provides a complete solution for detecting and eliminating vulnerabilities, including the following areas:

Unapproved Software: Ensures that all software applications installed on your computer networks are approved by your company’s security policy.

Suspicious Traffic: Detects abnormal traffic on your network that could indicate an attempt to access or manipulate your computers.

Intrusion Vulnerability: Identifies open ports or other undesired access points that could put your network at risk of intrusion.

Malware Protection: Protects your network with antivirus and other network auditing software; ensures installation, updates and proper function on all networks.

Updates & Patches: Assures all critical security updates and patches are installed, with Microsoft’s minimum protection.

Security Practices: Ensures all your computers are configured and used in accordance with best practices for network security.

Network Auditing Agents: Monitors your network security status and lets you know how to solve any problems it detects.

Virtual Auditing Assistant: Provides 24/7 security for your entire network at a fraction of the cost of human domain experts.

Computer Security Attacks, Auditing, Business, Cyber, From, Network, Protects

Windows 7 security: A great leap forward or business as usual?

The public release of Windows 7 is approaching fast. Debates and discussions have been raging on the security improvements in the new platform, and some potential problems have also emerged. In this white paper, we run through the most significant changes and additions, and look at what they might mean to users and administrators.

by Chester Wisniewski, Senior Security Advisor, Sophos

Can Windows 7 succeed where Vista didn’t?

The much-heralded Windows Vista had a mediocre reception on its initial release, and never really took off despite great efforts from Microsoft to encourage hardware vendors to use it. Many businesses, wary of numerous issues, opted to stick to the tried and trusted XP until the new platform stabilized with service packs and upgrades.

But Microsoft took a different course – it rushed to create a replacement platform.

The upgrades included with Vista focused on visuals and certain speed improvements. But the platform introduced a number of new or improved security features, most notable of which was the User Account Control (UAC) system, which was designed to prevent unauthorized execution of code. UAC was widely criticized for its intrusive popups, and its reliance on the understanding of a largely untrained user base that is more likely to ignore or disable the alerts than to take the time to decipher their meaning.

Some other minor additions, such as encryption software BitLocker and the Address Space Randomization system, provided a little extra security, while some items such as the one-way firewall and the Security Center remained largely unchanged.

With Windows 7, Microsoft showed that it is paying attention to its critics and has attempted to deal with a number of these issues.

Some of the changes are largely cosmetic, with further upgrades to the desktop look and feel that continue the direction taken by Vista, following the lead of a certain rival operating system with a far better reputation for glossy visual appeal and user-friendly design.

Under the hood, there are new additions and serious upgrades to previous security measures that offer the promise of greater security as well as ease of use. Microsoft overhauled the interface between users and Vista’s security controls with the Vista Security Center becoming the more fun-sounding, if a bit ambiguous, Action Center. In addition, the company redesigned the UAC, expanded the firewall into a more complete feature and extended encryption. Microsoft also promises a new user-friendly VPN system.

The implementation and completeness of these new ideas will be significant factors in Windows 7 gaining traction with users and IT departments that have resisted upgrading their systems. For the many that have waited so long, upgrades are no longer a choice. Microsoft hopes to avoid a repeat of the Vista experience—so marketing and sales will be pushing hard on customers to upgrade to Windows 7. It is almost certain that Windows 7 will push XP aside. Therefore, the safety level of the new platform will have a massive influence on computer users worldwide, whether they like it or not.

Action stations: Windows Security Center rebadged but not replaced?

Microsoft introduced Windows Security Center with XP and it has remained largely unchanged ever since. With Windows 7 it has been given a major revamp. The new Action Center combines the existing management and control of the firewall, updating and anti-malware protection with a selection of additional system maintenance tasks, including backup, troubleshooting, anti-spyware, UAC and the general state of network security settings.

Windows Vista Users accustomed to the constant stream of alert popups and the old system tray shield badge will experience the biggest change. Windows 7 presents more detailed listings of potential issues, which often come with useful information and advice. Integration with anti-malware solutions is much more granular, enabling products to inform the operating system when they need updating. In Vista, the only information the Security Center could provide was “out of date” or “more than 30 days out of date.” Products can also feed their own customized information to users, enabling them to make more informed choices, and users gain a level of customization (e.g., they can disable functions they are not interested in monitoring).

The new Action Center icon looks like a waving flag; it features a small red mark when something important needs fixing. At first glance it seems like a good idea to do away with the popups, which became almost invisible for many users thanks to their frequent appearance. But the flag icon could be a step too far: The new alerting system may be so obscure as to be rendered useless.

The improved integration and control, and more granular messaging, will help most users and security solution developers. However, striking the right balance between keeping users informed and flooding them with irritating alerts remains tricky.

Access denied: UAC simplified, but still ruined by pester power?

As part of the Action Center lineup (and therefore a core security feature of the platform), the UAC system has also had a radical revision to minimize its impact on the user. In Vista, where it first appeared, the system quickly became notorious for presenting an excess of intrusive alerts and demands for confirmation, which quickly turned off users who consequently turned off the system. Changes to system settings were the main cause of these—rather than new software installations or installed programs trying to adjust a setting (when alerts are more expected and in some cases even appreciated). The new system has a finer level of controls than the simple on or off of the earlier version; it defaults to prompting only when third-party programs try to make changes and allowing changes initiated by the user. A simpler slider system enables a user to set more or less strict data protection with ease. In addition, the occasionally rather scary dimming (and often brief blacking out) of the screen that accompanies the alerts by default can also be disabled. Microsoft also redesigned popups to be more informative.

Microsoft promised a significant decrease in the number of popups, and, indeed, the popups in Windows 7 now have improved information on exactly what is being permitted—so it should make the system more effective. However, it is unclear whether many users will use the system correctly— that’s because most users lack the understanding required to make informed calls, and many are unlikely to think beyond simply making the popup disappear. On a standard desktop running with the “protected administrator” default user, making the popup disappear is as simple as clicking yes or no; the default selection is no, so users who have trained themselves to simply hit the Enter key will find themselves protected from unwanted changes and most likely frustrated by non-functional software.

Another issue with these default settings is that malware could bypass the system by injecting itself into a trusted application and running from there. Indeed, some malware has been observed spoofing UAC-style prompts to obtain user permission to operate unimpeded.

The system is improved from its previous, barely usable state. But it still lacks the features of platforms with more ground-up security models, where such alerts generally provide adequate context and detail so users can grasp exactly what is being asked and require an administrator password even from a logged on administrator— which forces users to consider what they are allowing and take responsibility for their own safety. The UAC concept is user-driven rather than expert-driven, so it is a questionable approach in a world where end-user expertise is rare. Although personal files and tools will require user approval and operation, core system assets should be more rigorously protected.

Border control: Windows Firewall finally fully functional?

One of the most significant security improvements introduced in the XP era was the Windows Firewall. Initial off-by-default versions proved entirely inadequate, so with SP2 Microsoft made a major step change in the security of users worldwide by providing firewalling as a standard feature.

Of course, with only inbound protection rather than the bidirectional control provided by proper firewall solutions, it was far from ideal. Although the basic stateful packet-filtering provided some protection from common exploits, it lacked any advanced features like a full-fledged antivirus; and without central management, policy enforcement and auditing were unsuitable for serious business networks. For most well-informed administrators, it was just another thing to disable before rolling out more comprehensive protection. If nothing else, though, it gave the inexpert, or just lazy, everyday home user a bare-bones level of protection from many forms of attack.

With the new OS, Windows Firewall finally comes of age. The new version provides appropriate inbound and outbound port and protocol filtering including IPv6 support and a raft of features. Detailed user-level configuration is available, but at the corporate network level the improvements are even more significant, with complete management and reporting well integrated into the group policy subsystem.

This all sounds like a major boon to home and business users, but it depends on how broadly it’s adopted, which in turn depends on how willing people are to adapt long-standing security practices. Home users—again, all but the most ill-informed—are using their internet security suites to provide both anti-malware and firewalling, generally with specialist firewall design and integration with behavioral anti-malware providing a much higher level of protection. At the business level, similar practices will apply in most cases, with providers of corporate security solutions bundling desktop firewalling with their other protective layers and providing their own centralized management and reporting systems. Security admin specialists will be charged with monitoring and maintaining all protection in bigger networks. In addition, they will still have to control anti-malware, NAC and other security implementations that are not so well integrated into Microsoft’s own control systems. Security specialists may also face a steep learning curve with the Group Policy Object management style (although it’s familiar to user-level software and policy administrators, and suited to their needs) because it’s so unlike standard workflow patterns in existing security management systems, which are specifically designed to cope with the complex needs of firewall configuration.

For most home and work users, splitting the task of security management between multiple tools, usage layouts and support systems will be a pretty obvious timewaster. The use of firewalls from existing, trusted providers seems likely to remain the norm for the foreseeable future.

Tunnel ahead: DirectAccess, a simple VPN for all?

For corporate administrators, one of the most interesting new security features in Windows 7 is likely to be the new DirectAccess system, which is essentially a built-in VPN client designed to allow users to “simply and more securely access corporate resources when out of the office” (source: Microsoft Windows 7 main page). It is intended to be fully integrated, always on and compatible with firewalls and NAT setups, and to allow both remote access to corporate networks and remote management of logged-in systems by network admins. Remote users are growing ever more commonplace and the issues they present to network security administrators expand in complexity along with their numbers and requirements. Microsoft has recognized the need for major improvements in remote connectivity, so it appears that it will make it very simple and easy to stay safe on the road.

However, there are some major implementation and security issues here. The first big stumbling block an admin will hit when trying to implement DirectAccess is its complete reliance on IPv6. Although theoretically a much superior and more scalable technology to IPv4, IPv6 has yet to make much if any headway in the real world. This means that admins will need to implement IPv6 both on workstations and on the corporate networks, with the inevitable associated learning curve and security lapses when implementing complex and unfamiliar technology for the first time. The alternative, as recommended by Microsoft, is to implement translation technologies at both the workstation and server sides, likely to require different tools and systems for the two, with the associated additional overhead and several more levels of complexity for the administrator – and of course the additional security risk that complexity brings.

Those persuaded to bite the bullet and become early adopters of IPv6 should remember the lessons of the IPv4 introduction – when large numbers of severe vulnerabilities were discovered. It seems inevitable that similar issues will be found with IPv6 when the user base has built up and stumbled across them, and early adopters will be embroiled in a taxing cycle of firefighting and patching until the bugs are ironed out.

There are also some potential dangers in the way Microsoft recommends using the system, which is intended to tunnel traffic securely into corporate networks but allow other activities such as web browsing to use the machine’s typical (usually wireless) connection, presumably to save on corporate resources. This approach will immediately sound alarm bells with security-conscious admins who see such a setup as an open bridge between their carefully protected networks and the threat-riddled frontiers of the internet. In other words, this approach should be avoided at all costs.

When IPv6 finally becomes the norm, this system will be a great leap forward. But it is premature and somewhat lacking in completeness of vision, so serious network admins will stick with their existing VPN providers for some time to come.

Locked out: BitLocker, a business-ready encryption system?

BitLocker disk encryption, which was introduced in Vista, has been somewhat extended and improved in Windows 7. Again, it is included only in the Enterprise and Ultimate editions. It has some hardware requirements as well, including a compatible BIOS and a separate unencrypted boot partition from which to access the encrypted system drive. For optimum performance, a trusted platform module that provides a range of services like tamper protection to allow trusted boot, key storage and basic cryptographic functions, is recommended. In its Transparent Operation Mode, it provides little more than integrity checking on boot, with decryption failing, or at least requiring additional confirmation before proceeding, if unauthorized modifications have been made. The User Authentication Mode offers a more secure level of encryption, requiring a user password or a key stored on a USB drive before the protected system or other volumes are decrypted.

Windows 7 includes an additional set of functionality for encrypting USB removable drives, which should be compatible with Windows Vista without changes. XP users will require a new plugin to access data stored on encrypted key drives, which will at least allow read access. The plugin will only provide protection when the drive is disconnected from the machine; when plugged in, all data on the drive is vulnerable to harvesting if the machine is compromised by malware.

Similar to its improvements in the firewall, Microsoft appears to have done a good job of providing a quality encryption system built in to its operating system. But, again, similar to the situation with its firewall, it remains to be seen if the company, which still has long-standing problems inspiring trust on security matters, will persuade admins to migrate from their existing, well-known and trusted expert cryptography providers. Management remains a key issue, with the implementation of centralized key management and disaster recovery lagging well behind the solid implementation at the local level.

Related to BitLocker in name only, AppLocker provides a basic whitelisting system designed to allow only approved software to run on Windows 7 systems. Available only in the Enterprise and Ultimate editions, it is manageable via the Group Policy model.

More or less: Other security benefits and potential pitfalls

Admins considering implementing Windows 7 in a corporate environment should review a number of other areas where they’ll encounter some good points and some hazards.

Some have highlighted the built-in XP mode virtualization system, which provides full compatibility with older software, as a great benefit to users. Others have pointed out the potential security drawbacks – with good reason. There is little centralized management available for XP mode virtual systems. Moreover, as with any virtual machine, the guest system will require all the usual patch management and client security software to keep it safe. Many inexperienced users think virtual guest systems are protected by the security of the host – not subject to their own patching and anti-malware requirements. Therefore, these users tend to leave these virtual guest systems open to attack and infestation, so significant use of such systems by home users may lead to the growth of infected machines attacking the rest of the world.

In a corporate setting, there appears to be little need for XP mode because most professional software runs without difficulty on native Windows 7. The main target of XP mode appears to be gamers clinging to aged favorites. Most admins should simply disable XP mode in the corporate desktops; and those who must allow it should follow the usual requirements for virtualization, with all the extra work of patching and client-side security conducted as scrupulously as possible.

There have been rumors that European anti-trust regulations may force Microsoft to provide a so-called “E Edition” for the European marketplace. This edition will enable users to select from a range of leading browsers during installation, with the operating system opened up somewhat to allow it to function without Internet Explorer. Although this may be of interest to home users intrigued by the perceived added security and usability of some browsers, corporate software management is generally better served by Microsoft’s regular, if often rather tardy, patching system. Moreover, few businesses will be prepared to fully trust the relatively under-supported open-source alternatives for the time being. For most, using IE as a default and alternatives available as secondary browsers if required is likely to remain the standard.

Microsoft has been heavily criticized for some time for stubbornly clinging to the default setting in most Windows releases to hide file extensions, which has been exploited by malware authors for many years to disguise their wares as something other than what they are. The issue has been around since Windows NT, and is widely regarded as one of the simplest moves Microsoft could make to show it is serious about keeping its users away from malware.

The password authentication model presents a major stumbling block to Microsoft’s highly valued usability, and the company seems to have recognized that the model also has flaws as a security system. One addition to Windows 7 that seems likely to be universally welcomed is the built-in support for biometric devices. It handles fingerprint readers and comes with API access for developers of other types of biometric identification.

A growing number of devices now have integrated fingerprint readers. Although the readers have been implemented with varying degrees of success, this could move authentication away from the easily cracked or stolen password model toward more personal, unique and certain ways of confirming identities. The success or failure of this new model will depend greatly on the close integration of devices with platforms, software and web services, and Microsoft has taken an important step toward providing its end of this package.

With all these new features, will Windows 7 keep me safe?

Whether its motivation arises from a genuine desire to do things better or simply a sensible business case for appearing more credible on security issues, Microsoft has attempted to move closer to an appropriate security model. The company has provided some interesting and useful tools to assist its users and network admins in maintaining control over their systems and data. However, many of these new tools have flaws of one kind or another – and some show serious shortcomings in completeness of vision and thoroughness of implementation. Still others seem like excellent and complete packages waiting only for the rest of the world to be in a position to use them.

Of course, we never expected the new platform to do away with the need for anti-malware and other security and control solutions. But at least Microsoft will be covering most of the security issues for its wide user base of under-educated, under-motivated home users once its new Security Essentials free desktop anti-malware arrives.

Most businesses will stick to third-party expert security software providers. But it’s possible the decrease in numbers of easy targets elsewhere will reduce the numbers of zombies, spam bots.

Computer Security Business, forward, Great, leap, Security, usual, Windows

Overview

The network planning and design methodology describes a process with 9 specific steps and a sequence for those activities. As mentioned it is an engineering life cycle that supports technical initiatives such as Windows  migration, IP telephony and wireless design to name a few examples. The methodology begins with examining company business requirements. It is absolutely essential that you understand the company business model, business drivers and how they are growing from a business perspective. That will build the foundation for a design proposal that serves the business, technical and operational requirements of the company.

STEP 1: Business Requirements

Any design project starts with an understanding of what the company does and what they need to accomplish from a business perspective. This begins with an understanding of their business model, which really describes how their company works from an operational and business perspective to generate revenues and reduce costs. Many vendors today have conducted their own return on investment (ROI) studies for new implementations such as Unified Communications and Telephony. It is an effective sales tool that illustrates the cost benefits compared with investment over a specified period of time.

This is a list of some typical business drivers:

 • Reduce Operating Costs
 • Generate Revenue
 • Client Satisfaction
 • Employee Productivity

This is a list of some typical project business requirements:

 • Budget Constraints
 • Office Consolidations
 • Company Mergers and Acquisitions
 • Business Partner Connectivity
 • Telecommuter Remote Access  
 • Implement New Offices and Employees
 • New Data Center Applications
 • Reduce Network Outage Costs
 • Cost Effective Network Management
 • Vendor Contracts

STEP 2: Design Requirements

Now that you understand the basic business requirements of the company, you can determine the standard and specific design requirements. The design requirements process is focused on defining requirements from a technical perspective. Those requirements along with the business requirements will build the framework that is used to define infrastructure, security and management. Design requirements are defined as standard and miscellaneous. The standard design requirements are generic and represent those considered with many design projects. Miscellaneous requirements are those that aren’t defined with any of the standard requirements.

Standard Design Requirements

 • Performance
    
 • Availability

 • Scalability

 • Standards Compatibility

 • Rapid Deployment

STEP 3: Network Assessment

A network assessment is conducted after we have finished the business and design requirements of the company. A network assessment provides a quick snapshot of the current network with an examination of the infrastructure, performance, availability, management and security. That information is utilized for making effective strategy recommendations and design proposals to the client concerning specific information systems modifications. The network assessment model has 3 sequential activities, which are assessment, analysis and recommendations. The current network is examined using five primary surveys: infrastructure, performance, availability, management and security. When the surveys are completed, the information collected is then reviewed for trends, problems and issues that are negatively affecting the network.

STEP 4: Infrastructure Selection

After doing an network assessment we are ready to start selecting specific infrastructure components for the network design. This phase starts building the infrastructure with a specific sequence that promotes effective equipment selection and design. It is important that you consider business requirements, design requirements and the network assessment when building your infrastructure.

The following numbered list describes the specific infrastructure components and their particular sequence.

 1. Enterprise WAN Topology
 2. Campus Topology
 3. Traffic Model
 4. Equipment Selection
 5. Circuits
 6. Routing Protocol Design
 7. Addressing
 8. Naming Conventions
 9. IOS Services
10. Domain Name Services
11. DHCP Services

STEP 5: Security Strategy

We must now define a security strategy for securing the infrastructure. The need for enterprise network security shouldn’t be ignored with the proliferation of the Internet. Companies are continuing to leverage the public infrastructure for connecting national and international offices, business partners and new company acquisitions. The security requirements and network assessment recommendations should drive the selection of security equipment, protocols and processes. It identifies what assets must be protected, what users are allowed access and how those assets will be secured.

STEP 6: Network Management Strategy
 
This section will define a network management strategy for managing all equipment defined from infrastructure and security. It is necessary to define how the equipment is going to be monitored and determine if the current management strategy is adequate or if new applications, equipment, protocols and processes must be identified. Management components are then integrated with infrastructure and security to finish building the proposed design. These primary elements comprise any well-defined management strategy and should be considered when developing your strategy. 

 • 7 Management Groups
 • SNMP Applications
 • Monitored Devices and Events

STEP 7: Proof of Concept  

All infrastructure, security and management components must now be tested with a proof of concept plan. It is important to test the current design, configuration and IOS versions in a non-production environment or on the production network with limited disruption. Implementation of newer network modules at a router, for instance, could require that you change the current IOS version that is implemented. Making those changes could affect WAN or campus modules already installed at production routers. That is the real value of doing a proof of concept and certifying that the new equipment and IOS versions integrate with each device as well as the network. The following list describes the advantages of doing a proof of concept with your network design.  The proof of concept test results should be examined and used to modify current infrastructure, security and management specifications before generating a design proposal. The proof of concept model suggested here involves prototype design, equipment provisioning, defining tests, building equipment scripts and examining test results.  

 1. Prototype Design

 2. Provision Equipment

 3. Define Tests

 4. Build Equipment Scripts

 5. Review Test Results

STEP 8: Design Proposal/Review 

With the proof of concept finished, you are now ready to build a design proposal for the design review meeting. Your intended audience could be the Director, CIO, CTO, Senior Network Engineer, Consultant or anyone that is approving a budget for the project. It is important to present your ideas with clarity and professionalism. If a presentation is required, power point slides work well and could be used to support concepts from the design proposal document. The focus is on what comprises a standard design proposal and the sequence for presenting that information.

The working design proposal is presented to the client after addressing any concerns from proof of concept assurance testing. The design review is an opportunity for you to present your design proposal to the client and discuss any issues. It is an opportunity for the client to identify concerns they have and for the design engineer to clarify issues. The focus is to agree on any modifications, if required, and make changes to the infrastructure, security and management before implementation starts. Business and design requirements can change from when the project started which sometimes will necessitate changes to infrastructure, security and management specifications. Any changes should then go through proof of concept testing again before final changes to the design proposal.

STEP 9: Implementation

The final step will have us defining an implementation process for the specified design. This describes a suggested implementation methodology of the proposed design, which should have minimal disruption to the production network. As well it should be efficient and as cost effective as possible. As with previous methodologies there is a sequence that should be utilized as well.

Once the implementation is finished, there is monitoring of the network for any problems. Design and configuration modifications are then made to address any problems or concerns.

Network Planning and Design Guide is available at amazon.com and eBookmall.com

Shaun Hummel is an author of various technical books and has a web site focused on information technology job search solutions and certifications.

http://www.networkjobsolutions.com

Computer Security Design, effective, Network, Planning, Process

NETWORK SECURITY

Using

HONEYPOTS AND CRYPTOGRAPHY

Abstract

For every consumer and business that is on the Internet, viruses, worms and crackers are a few security threats. There are the obvious tools that aid information security professionals against these problems such as anti-virus software, firewalls and intrusion detection systems, but these systems can only react to or prevent attacks-they cannot give us information about the attacker, the tools used or even the methods employed. Given all of these security questions, honeypots are a novel approach to network security and security research alike.

A honeypot is used in the area of computer and Internet security. It is a resource, which is intended to be attacked and compromised to gain more information about the attacker and the used tools. It can also be deployed to attract and divert an attacker from their real targets. One goal of this paper is to show the possibilities of honeypots and their use in a research as well as productive environment.

Compared to an intrusion detection system, honeypots have the big advantage that they do not generate false alerts as each observed traffic is suspicious, because no productive components are running on the system. This fact enables the system to log every byte that flows through the network to and from the honeypot, and to correlate this data with other sources to draw a picture of an attack and the attacker.

This paper will first give an introduction to honeypots-the types and uses. We will then look at the nuts and bolts of honeypots and how to put them together. With a more advanced idea of how honeypots work, we will then look at the possible legal ramifications for those who deploy them. Finally we shall conclude by looking at what the futureholds for the honeypots and honeynets.

1. INTRODUCTION

Global communication is getting more important every day. At the same time, computer crimes are increasing.

Countermeasures are developed to detect or prevent attacks – most of these measures are based on known facts, known attack patterns. As in the military, it is important to know, who your enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot.

Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.

WHAT IS A HONEYPOT?

A honeypot is primarily an instrument for information gathering and learning. A honeypot is an information system resource whose value lies in the unauthorized zed or illicit use of that resource. More generally a honeypot is a trap set to deflect or detect attempts at unauthorized use of information systems. Essentially; honeypots are resources that allow anyone or anything to access it and al production value. More often than not, a honeypot is more importantly, honeypots do not have any resimply an unprotected, unpatched, unused workstation on a network being closely watched by administrators.

Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot other possibilities for a honeypot – divert hackers from productive systems or catch a hacker while conducting an attack are just two possible examples.

WHAT IS A HONEYNET?

Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring and/or more diverse network in which one honeypot may not be sufficient. Honeynets (and honeypots) are usually implemented as parts of larger network intrusion-detection systems. Honeynet is a network of production systems.  Honeynets represent the extreme of research honeypots. Their primary value lies in research, gaining information on threats that exist in the Internet community today.

The two main reasons why honeypots are deployed are:

1. To learn how intruders probe and attempt to gain access to your systems and gain insight into attack methodologies to better protect real production systems.

2. To gather forensic information required to aid in the apprehension or prosecution of intruders.

TYPES OF HONEYPOTS:

Honeypots came in two flavors:

Low-interaction
High-interaction.

Interaction measures the amount of activity that an intruder may have with honeypot.In addition, honeypots can be used to combat spam.

Spammers are constantly searching for sites with vulnerable open relays to forward spam on the other networks. Honeypots can be set up as open proxies or

relays to allow spammers to use their sites .This in turn allows for identification of spammers.

We will break honeypots into two broad categories, as defined by Snort ,two types of honeypots are:

Production  honeypots
Research honeypots

The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. Think of them as ‘law enforcement’, their job is to detect and deal with bad guys. Traditionally, commercial organizations use production honeypots to help protect their networks. The second category, research, is honeypots designed to gain information on the blackhat community. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and how to better protect against those threats.

HONEYPOT ARCHITECTURE:

1. Structure of a LOW-INTERACTION HONEYPOT (GEN-I):-

A typical low-interaction honeypot is also known as GEN-I honeypot. This is a simple system which is very effective against automated attacks or beginner level attacks.

Honeyd is one such GEN-I honeypot which emulates services and their responses for typical network functions from a single machine, while at the same time making the intruder believe that there are numerous different operating systems .It also allows the simulation of virtual network topologies using a routing mechanism that mimics various network parameters such as delay, latency and ICMP error messages.

The primary architecture consists of a routing mechanism, a personality engine, a packet dispatcher and the service simulators. The most important of these is the personality engine, which gives services a different ‘avatar’ for every operating system that they emulate.

DRAWBACKS:

1. This architecture provides a restricted framework within which emulation is carried out. Due to the limited number of services and functionality that it emulates, it is very easy to fingerprint.

2. A flawed implementation (a behavior not shown by a real service) can also render             itself to alerting the attacker.

3. It has constrained applications in research, since every service which is to be studied   will have to be re-built for the honeypot.

2. Structure of a HIGH INTERACTION HONEYPOT (GEN-II):-

A typical high-interaction honeypot consists of the following elements: resource of interest, data control, data capture and external logs

(“known your enemy: Learning with Vmware, Honeynet project”); these are also known as GEN-II honeypots and started development in 2002.They provide better data capture and control mechanisms. This makes them more   complex to deploy and maintain in comparison to low-interaction    honeypots.

High interaction honeypots are very useful in their ability to identify vulnerable services and applications for a particular target operating system. Since the honeypots have full      fledged operating systems, attackers attempt various attacks providing administrators with very detailed information on attackers and their methodologies. This is essential for researchers to identify new and unknown attack, by studying patterns generated by these honeypots

DRAWBACKS:

However, GEN-II honeypots do have their drawbacks as well.

1. To simulate an entire network, with routers and gateways, would require an extensive computing infrastructure, since each virtual element would have to be installed in it entirely. In addition this setup is comprehensive: the attacker can know that the network he is on is not the real one. This is one primary drawback of GEN-II.

2. The number of honeypots in the network is limited.

3. The risk associated with GEN-II honeypots is higher because they can be used easily as launch pads for attacks.

COMPARISON:

Feature Gen-I Gen-II Number of virtual systems/ services that can be deployed Large Small Data Control Limited Extensive Level of Interaction Low High Ability to discover new attcks Low High Risk Low High

BUILDING A HONEYPOT:

To build a honeypot, a set of Virtual Machines are created. They are then setup on a private network with the host operating system. To facilitate data control, a stateful firewall such as IP Tables can be used to log connections. This firewall would typically be configured in Layer 2 bridging mode, rendering it transparent to the attacker.

The final step is data capture, for which tools such as Sebek and Term Log can be used. Once data has been captured, analysis on the data can be performed using tools such as Honey Inspector, PrivMsg and SleuthKit.

Honeypot technology under development will eventually allow for a large scale honeypot deployment that redirects suspected attack traffic to honeypot. In the figure an external attacker:

1. Penetrates DMZ and scans the network IP address

2. The redirection appliance

3. Monitors all unused addresses, and  uses Layer 2 VPN technology to enable firewall

4. To redirect the intruder to honeypot

5. Which may have honeypot computers mirroring all types of real network devices.

6. Scanning the network for vulnerable systems is redirected

7. By the honeypot appliance when he probes unused IP addresses

RESEARCH USING HONEYPOTS:

Honeypots are also used for research purposes to gain extensive information on threats, information few other technologies are capable of gathering. One of the greatest problems security professionals face is lack of information or intelligence on cyber threats. How can your organization defend itself against an enemy when you do not know who the enemy is? Research honeypots address this problem by collecting information on threats. Organizations can then use this information for a variety of purposes including analyzing trends, identifying new methods or tools, identifying the attackers and their communities, ensuring early warning and prediction or understanding   attackers motivation.

ADVANTAGES OF HONEYPOTS:

1. They collect small amounts of information that have great value.  This captured information provides an in-depth look at attacks that very few other technologies offer.

2. Honeypots are designed to capture any activity and can work in encrypted networks.

3. They can lure the intruders very easily.

4. Honeypots are relatively simple to create and maintain.

DISADVANTAGES OF HONEYPOTS:

1. Honeypots add complexity to the network. Increased complexity may lead to increased exposure to exploitation.

2. There is also a level of risk to consider, since a honeypot may be comprised and used as a platform to attack another network. However this risk can be mitigated by controlling the level of interaction that attackers have with the honeypot.

3. It is an expensive resource for some corporations. Since building honeypots requires that you have at least a whole system dedicated to it and this may be expensive.

LEGAL ISSUES PERTAINING HONEYPOTS:

Most of the research found in this area concluded that there are three major legal spectrums concerning honeypots:

Entrapment,
Liability
Privacy.

1. ENTRAPMENT:

Entrapment is when somebody induces the criminal to do something he was not otherwise supposed to do.Honeypots should generally be used as defensive detection tools, not an offensive approach to luring intruders.

2. PRIVACY:

The second major concern is what information is being tracked: operational data and transactional data. Operational data includes things like addresses of user, header information etc while transactional data includes key strokes, pages visited, information downloaded, chat records, e-mails etc. Operational data is safe to track without threats of security concern because IDS system routers and firewalls already track it. The major concern is transactional data. The more contents a honeypot tracks, more privacy concerns get generated.

3. LIABILITY:

Is the owner of the honeypot liable for any damage done by that honeypot? They will be safe as long as honeypots are used for directly securing the network.

SOME COMMERCIAL HONEYPOTS AND HELPFUL SOFTWARE:

1. CYBERCOP STING BY NETWORK ASSOCIATES:

This product is designed to run on Windows NT and is able to emulate several different systems including LINUX, SOLARIS, CISCO IOS and NT. It is made to appeal to hackers for looking as if it has several well-known vulnerabilities.

2. BACK OFFICER FRIENDLY BY NFR:

This product is designed to emulate a Back Orifice server. BOF (as it is commonly called) is a very simple but highly useful honeypot developed by Marcus Ranum and crew at NFR. It is an excellent example of a low interaction honeypot. . It is a great way to introduce a beginner to the concepts and value of honeypots. BOF is a program that runs on most Windows based operating system. All it can do is emulate some basic services, such as http, ftp, telnet, mail, or BackOrrifice.

3. TRIPWIRE BY TRIPWIRE:

This product is for use on NT and UNIX machines and is designed to compare binaries, and inform the server operator, which has been altered. This helps to protect machines from would be hackers and is an excellent way to determine if a system has been compromised.

4. SPECTER:

Specter is a commercial product and low interaction production honeypot. It is similar to BOF, but it can emulate a far greater range of services and a wide variety of operating systems. Similar to BOF, it is easy to implement and low risk. Specter works by installing on a Windows system. The risk is reduced as there is no real operating system for the attacker to interact with. Specters value lies in detection. It can quickly and easily determine who is looking for what. As a honeypot, it reduces both

false positives and false negatives, simplifying the detection process, supporting a variety of alerting and logging mechanisms. One of the unique features of Specter is that it also allows for information gathering, or the automated ability to gather more information about the attacker

5. MANTRAP:

Mantrap is a commercial honeypot. Instead of emulating services, Mantrap creates up to four sub-systems, often called ‘jails’. These ‘jails’ are logically discrete operating systems separated from a master operating system. Security administrators can modify these jails just as they normally would with any operating system, to include installing applications of their choice, such as an Oracle database or Apache web server, thus making the honeypot far more flexible. The attacker has a full operating system to interact with, and a variety of applications to attack. All of this activity is then captured and recorded. Currently, Mantrap only exists on Solaris operating system.

RELATED WORK:

Much work has been performed using the concept of honeypots i.e., an illicit resource to which any and all traffic or access is deemed to be suspect.

1. TARPITS:

One of the easiest ways to identify vulnerable systems is by using a tool called a scanner or a spider .This brute forces attacks on a whole range of IP addresses, attempting to find vulnerable hosts. This is where a tarpit comes handy. A tarpit blocks a scanner by responding to its first TCP setup message, but ignoring the rest .This simple approach causes the scanner to allocate buffers, start timers and retry, since it believes it has found a valid host .This process repeats until the scanner exhausts its memory and CPU resources and crashes or slows down to an almost unproductive speed.

2. HONEY TOKENS:

It is a data entity whose value lies in the inherent use of data. Honey tokens are entities such as false medical records, incorrect credit card numbers and invalid social security numbers. The very act of accessing these numbers, even by legitimate entities is suspect. This concept is especially useful in preventing larger classes of attacks.

FUTURE WORK:

Honeypots are a new field in the sector of network security. Currently there is a lot of ongoing research and discussions all around the world. Several companies have already launched commercial products. A comparison of available products showed that there are some usable low- to high-involvement honeypots on the market. In the sector of research honeypots, self-made solutions have to be developed as only these solutions can provide a certain amount of freedom and flexibility which is needed to cover a wide range of possible attacks and attackers. Each research honeypot normally has its own goals or different emphasis on the subject. Developing a self-made solution needs a good technical understanding as well as a time intensive development phase.

There is an inherent scope for the research community to be misled by script kiddies, while sophisticated attackers plan more devastating attacks on computer systems across the globe. Although fingerprinting a honeypot is easier said than done, most attackers worth their salt would stay away from any computer system that they deem to be monitoring their activities. Thus in reality, for honeypots to be truly effective, they require to be residing very close to a legitimate resource, probably even on the same network.

This would definitely serve as a precursor to any attacks on the production system making honeypots a true window to the future.

CONCLUSION:

Honeypots are positioned to become a key tool to defend the corporate enterprise from hacker attacks it’s a way to spy on your enemy; it might even be a form of camouflage. Hackers could be fooled into thinking they’ve accessed a corporate network, when actually they’re just banging around in a honeypot — while the real network remains safe and sound.

Honeypots have gained a significant place in the overall intrusion protection strategy of the enterprise. Security experts do not recommend that these systems replace existing intrusion detection security technologies; they see honeypots as complementary technology to network- and host-based intrusion protection.

The advantages that honeypots bring to intrusion protection strategies are hard to ignore. In time, as security managers understand the benefits, honeypots will become an essential ingredient in an enterprise-level security operation.

We do believe that although honeypots have legal issues now, they do provide beneficial information regarding the security of a network .It is important that new legal policies be formulated to foster and support research in this area. This will help to solve the current challenges and make it possible to use honeypots for the benefit of the broader internet community.

Computer Security Cryptography, Honeypots, Network, Secutity, Using