From owner-freebsd-security Mon Apr 23 15: 0:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id CDFEA37B424 for ; Mon, 23 Apr 2001 15:00:19 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GC9MFX00.DL0; Mon, 23 Apr 2001 14:59:57 -0700 Message-ID: <3AE4A5F2.E52825EE@globalstar.com> Date: Mon, 23 Apr 2001 15:00:18 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Domas Mituzas Cc: scheidell@fdma.com, freebsd-security@FreeBSD.ORG Subject: Re: Connection attempts (& active ids) References: <20010423231908.N574-100000@axis.tdd.lt> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Domas Mituzas wrote: [snip] > One of best practices is to build honeypots - early warning systems with > great publicity and observed security. And software, with changed banners > into older ones :) Most of what you said made sense up until this point. You are not saying it is a "best practice" for everyone concerned with security to build honeypots? Unless you are actively doing security research (i.e. your job description goes beyond just protection computer and information assets, or you are doing it on your own time), building and deploying honeypots is a very questionable use of resources. You are most likely going to be capturing script kiddie tools you could just go download off of any of a dozen h4x0r sitez. Building a secure honeypot is harder than building a secure "legit" machine, and we all make mistakes. That can actually reduce your security as a whole by introducing compromised machines (and if you are building entire secure extranets just to house honeypots, that's a lot of resources being spent). Honeypots are also a potental legal liability. If you want "great publicity" to justify yourself to management, a simple NIDS will give you just as much ammunition as a honeypot (would management even understand the distinction?). And don't pretend that the kiddies or crackers will just stop poking around your network once they find your honeypot. We all see the scans walk methodically across our nets. We all know most of them come from machines already compromised. Honeypots just focus _more_ kiddie and cracker attention on you rather than distract them from your real assets. Honeypots do have a place for those doing security research. For someone working to protect a corporate, academic, or government network, energy is better spent on other things... unless your network is already 100% secure (heh-heh). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message