From owner-freebsd-security Tue Apr 24 17:18:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 37CF137B424 for ; Tue, 24 Apr 2001 17:18:13 -0700 (PDT) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust68.tnt1.clarksburg.wv.da.uu.net [63.21.114.68]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id RAA25390; Tue, 24 Apr 2001 17:17:52 -0700 (PDT) Message-ID: <3AE61853.F8DEF42D@colltech.com> Date: Tue, 24 Apr 2001 20:20:35 -0400 From: Daniel Hagan X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Dragos Ruiu Cc: Crist Clark , Domas Mituzas , scheidell@fdma.com, freebsd-security@FreeBSD.ORG Subject: Re: Connection attempts (& active ids) References: <20010423231908.N574-100000@axis.tdd.lt> <3AE4A5F2.E52825EE@globalstar.com> <01042318494515.00270@smp.kyx.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dragos Ruiu wrote: > But it's probably better to have the honeypot > mirror your normal configs to get the most value out of it and to > make it less obviously different from your production system. If a system mirrors your production configuration, it's no longer a honeypot. Honeypots must be easier to compromise than the production systems or they can no longer fulfill their purpose (enticement of attackers to a known location, so to speak, facilitating detection and/or monitoring). > I would even go as far in differing as to say that I expect honeypot > systems to become a standard practice not just a "best" practice. Even after the legal issues surrounding honeypot use are more thoroughly explored, I wouldn't expect to see non-research organizations deploying them in any great numbers. It really depends on what your goals are. If you want to entice an attacker into a situation where he can be monitored and his tools captured, honeypots are a good idea. If you're charged with protecting certain information or service assets from compromise, honeypots are not very effective. A well designed network with NIDS will give you higher quality and larger quantities of intelligence regarding activity on your network than a honeypot will. > If nothing else, a honeypot makes a great use for a hot standby > spare... I'll assume that you're kidding here. You wouldn't really treat a system *designed* to be compromised as a fail over resource if your primary assets became unavailable, would you? Daniel - -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOuYYFsKlLCvSLxWxEQIcHwCfVSghC4XxUFWxU+693GmsvqJQFP0Anjn+ BysQFm1MTr38cDNs4Ok/Mi70 =RPWn -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message