Date: Tue, 24 Apr 2001 20:20:35 -0400 From: Daniel Hagan <dhagan@colltech.com> To: Dragos Ruiu <dr@kyx.net> Cc: Crist Clark <crist.clark@globalstar.com>, Domas Mituzas <domas.mituzas@delfi.lt>, scheidell@fdma.com, freebsd-security@FreeBSD.ORG Subject: Re: Connection attempts (& active ids) Message-ID: <3AE61853.F8DEF42D@colltech.com> References: <20010423231908.N574-100000@axis.tdd.lt> <3AE4A5F2.E52825EE@globalstar.com> <01042318494515.00270@smp.kyx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dragos Ruiu wrote: > But it's probably better to have the honeypot > mirror your normal configs to get the most value out of it and to > make it less obviously different from your production system. If a system mirrors your production configuration, it's no longer a honeypot. Honeypots must be easier to compromise than the production systems or they can no longer fulfill their purpose (enticement of attackers to a known location, so to speak, facilitating detection and/or monitoring). > I would even go as far in differing as to say that I expect honeypot > systems to become a standard practice not just a "best" practice. Even after the legal issues surrounding honeypot use are more thoroughly explored, I wouldn't expect to see non-research organizations deploying them in any great numbers. It really depends on what your goals are. If you want to entice an attacker into a situation where he can be monitored and his tools captured, honeypots are a good idea. If you're charged with protecting certain information or service assets from compromise, honeypots are not very effective. A well designed network with NIDS will give you higher quality and larger quantities of intelligence regarding activity on your network than a honeypot will. > If nothing else, a honeypot makes a great use for a hot standby > spare... I'll assume that you're kidding here. You wouldn't really treat a system *designed* to be compromised as a fail over resource if your primary assets became unavailable, would you? <shudder> Daniel - -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>; iQA/AwUBOuYYFsKlLCvSLxWxEQIcHwCfVSghC4XxUFWxU+693GmsvqJQFP0Anjn+ BysQFm1MTr38cDNs4Ok/Mi70 =RPWn -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AE61853.F8DEF42D>