LinuxSecurity.com: Know Your Enemy: HoneynetsApr 28, 2001, 12:00 (0 Talkback[s])
(Other stories by Honeynet Project)
[ Thanks to Dave Wreski for this link. ]
"Over the past several years the Honeynet Project has been dedicated to learning and the tools, tactics, and motives of the blackhat community and sharing the lessons learned. The primary tool used to gather this information is the Honeynet. The purpose of this paper is to discuss what a Honeynet is, its value to the security community, how it works, and the risks/issues involved."
"It is hoped that the security community can use the techniques discussed here to learn for themselves about the blackhat community. It is also hoped that the security community can take the methods and techniques discussed here and improve them, thereby improving the effectiveness of Honeynets and our ability to learn more about the enemy. However, we want to be sure that organizations are also aware of the many risks and issues involved with a Honeynet."
"A Honeynet is a tool for learning. It is a network of production systems designed to be compromised. Once compromised, this information is captured and analyzed to learn about the blackhat community. This idea is similar to honeypots, but there are several differences. A honeypot is a system designed to be attacked, usually for the purpose of deception or alerting of blackhat activity. Generally, honeypots are systems that emulate known vulnerabilities, emulate other systems, or are modified production systems that create caged environments. Examples of such honeypots are The Deception Toolkit, CyberCop Sting, and antrap. Deception Toolkit is a collection of scripts that emulate known vulnerabilities. CyberCop Sting is a NT box that emulates the IP stack and inetd of various systems. Mantrap modifies a Solaris system to create several caged environments. These are all excellent solutions, however they are limited, focusing primarily on alerting and deception. (Note, of the three, we feel that Mantrap has the most potential to also be used as a research tool, however it is has certain limitations). "