Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Apr 2001 15:00:18 -0700
From:      "Crist Clark" <crist.clark@globalstar.com>
To:        Domas Mituzas <domas.mituzas@delfi.lt>
Cc:        scheidell@fdma.com, freebsd-security@FreeBSD.ORG
Subject:   Re: Connection attempts (& active ids)
Message-ID:  <3AE4A5F2.E52825EE@globalstar.com>
References:  <20010423231908.N574-100000@axis.tdd.lt>

next in thread | previous in thread | raw e-mail | index | archive | help
Domas Mituzas wrote:

[snip]

> One of best practices is to build honeypots - early warning systems with
> great publicity and observed security. And software, with changed banners
> into older ones :)

Most of what you said made sense up until this point. You are not saying it
is a "best practice" for everyone concerned with security to build honeypots?
Unless you are actively doing security research (i.e. your job description
goes beyond just protection computer and information assets, or you are doing
it on your own time), building and deploying honeypots is a very questionable
use of resources.

You are most likely going to be capturing script kiddie tools you could
just go download off of any of a dozen h4x0r sitez. Building a secure
honeypot is harder than building a secure "legit" machine, and we all
make mistakes. That can actually reduce your security as a whole by
introducing compromised machines (and if you are building entire secure
extranets just to house honeypots, that's a lot of resources being 
spent). Honeypots are also a potental legal liability.

If you want "great publicity" to justify yourself to management, a simple
NIDS will give you just as much ammunition as a honeypot (would management
even understand the distinction?). And don't pretend that the kiddies or
crackers will just stop poking around your network once they find your
honeypot. We all see the scans walk methodically across our nets. We all
know most of them come from machines already compromised. Honeypots just
focus _more_ kiddie and cracker attention on you rather than distract 
them from your real assets.

Honeypots do have a place for those doing security research. For someone
working to protect a corporate, academic, or government network, energy
is better spent on other things... unless your network is already 100%
secure (heh-heh).
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AE4A5F2.E52825EE>