A honeynet is an intentionally vulnerable network setup aimed at attracting adversaries with the sole aim of studying the mode of operation of such attacks. The results can then be used to strengthen network security [1]. Honeynets usually consist of single or multiple Honey pots. Honey pots are normally computer systems on the internet that set up as a decoy aimed at attracting illegal hackers and crackers alike. This decoy network can also be used to divert these attackers away from the real network of the operator to a fake or decoy network.
A honeynet is one of the modes of a honeypot (which also includes modes like: Research mode, production mode and Honeyd). A honeynet is a highly extensive mode of honeypot designed with the purpose of extensive information about threats [2]. Unlike Honeyd- which are low interaction honeypot modes that provides attackers with emulated systems and services, the honeynet gives the attacker real systems, applications and services to interact with. Its concept is a network of one or more honeypots. It devout of any production activity or authorized services and therefore makes interaction with it an unauthorised or malicious activity. So any connection to the honeynet is most probably a threat and by this analysing activities within the honeynet is made easy.
HONEYNET ARCHITECTURE
Honeynets are achieved by successfully deploying the honeynet architecture and in doing this the Honeywall is key [2]. The Honeywall is the gateway device separating the honeypots from the outside world. Making it the door through which traffic passes to and from the honeypots. The device is usually invincible to anyone who interacts with the honeypot, making it a layer 2 bridging device.
According to Singh, G and Kaur P. (2014), among the key requirement expected to be implemented by a honey wall are
• Data control: a honeywall must be able to prevent an attacker from getting data once he gains access to the network.
• Data capture: it must be able to monitor and logging all the activities of the threat within the honeynet
• Data Analysis: the main purpose of a honeynet is to analyse the data being captured, so a honeynet should be able to provide such data for analysis.
• Data collection: In organisations with multiple honeynets, this applies, as it enables collection of data from all the different sources.
HONEYPOTS IN WEB APPLICATION
One character of smart applications is detecting attacks at them ahead of time. Honeypots aid in achieving such purpose. According to Baumann, R. and Plattner, C. (2002), Honeypots came about in the early 90’s when at first, Dummy, unsecured systems were intentionally placed on the web, open to attackers with the aim of studying the behaviour of attackers in the real world. As a result attackers that were able to break in had their activities monitored closely. That exposed a lot of information about black hats. They are very useful in intrusion detection and can be deployed on unused IP addresses in production networks. Owing to its lack of legitimate purpose, any traffic that passes through the honeypot signals an attacker presence, thereby giving rise to a close monitoring on that intruder. This makes it different and more efficient than normal detection systems that has to take out attacks form a multitude of normal traffic (here, any traffic through it signals an intruder), making it attractive in adopting for web applications.
The three strategies for web application honeypots are
Honey Tokens: these are fake records inserted in the database (shouldn’t be used by normal users). When used, they trigger an alert, that the database has been compromised. Let’s say an invalid username/password is entered into the user’s database, since there are no such users, and so it shouldn’t be logged in by anyone, the honey token instantly recognises that the database has be compromised and so triggers an alarm.
Honeypages: they are vague web pages scattered in the website without any legitimate function and are not linked to any valid page. Hints about them are made by embedding their url using either comments or hidden fields on valid pages. This is intended at catching the attacker who will normally analyse the source code for vulnerabilities. So when the page is accessed, it leads to the intruder.
Dummy Domains: dummy domains published in the DNS are used by a variant of homepages. Theses domain have no legitimate sites hosted on them and so do not have URLs pointing to them. Thereby making queries directed at them to indicate intruder reconnaissance activity. This provides an early warning of an intruder targeted activity at a site.
STRATEGIES IN DEPLOYING HONEYNETS
Careful planning is key in maximising honeynet strength and minimising its risks when it comes to honeynet deployment. Some of these strategies include
1. Honeypots should be installed with regular production servers, this will enable the honeypot to mirror real data services from the servers so as to easily attract attackers. Its security should also be loosened – this will make attacking it look easier and so attract attackers. However, the downside is that, if a successful attack on a honeypot within the network goes through, the attacked honeypot on the machine may be used in scanning for other potential targets on that network, unlike cases where the whole honeypot is a vague network.
2. Each server should be paired with a honeypot and redirect untrusted traffic from the server to the honeypot. Example; when traffic from TCP port 80 are directed to a web server’s IP address, and all other traffic coming to the webserver is redirected to the honeypot. In order to make the honeypot a camouflage, some amount of data like the webserver’s website contents will have to be imitated on the honeypot.
3. A network of honeypots that behaves like an actual or vague network (honeypot) should be built, so as to give attackers a fake picture of different applications available on different platforms. It signals an early warning against attacks and also gives a good way to understand and analyse an adversary’s behaviour by the type of machines and honeypot services that have been attacked and also the type of attack conducted.
LEGAL ISSUES WITH HONEYNETS
Some of the ethical and legal issues that relate the development of Honeynets bothers a lot about MONITORING NETWORK USERS
For the fact that you own a computer network, does not give you the legal authority to monitor network users without restraint even if your network is an intruder populated honeynet. Restrictions like user agreements, states and internal policies make monitoring improper and as such a breach of such restrictions in the process of monitoring network users will put you in civil or criminal danger. Such rules are significant in the context of Honeynets owing to the fact that the whole purpose and value of honeynets are attached to monitoring.
A typical example is the restrictions that are contained in the US constitution and federal statutes. The US constitutional provision Amendment 4 – Search and Seizures provides for “the right of people to be secure in their houses, papers, persons and effects against unreasonable searches and seizures, not to be violated, and that no warrant shall issue, but upon probable causes, supported by oath/affirmation describing the place, persons or things to be searched or seized.”[6].
In this case, if the honeynet’s operation relates to the government, then the fourth amendment to the US constitution may apply because it limits the power of the agencies or agents o
f government to search for an evidence without obtaining a search warrant from a judge, thereby making seized evidence that violate the fourth amendment inadmissible in trials concerning persons subject to such violations. Furthermore, violators of the fourth amendment rights of others can be subjected to lawsuits claiming money damages.
It is however imperative to note that, this amendment applies in cases in which the searched person has a ‘considerable expectation of privacy’. It is considered that Hackers have no ‘considerable expectation of privacy’ in using their victim’s network. Also, the amendment is restricted to only searches by the government and its agencies/agents. Therefore, private organisations are allowed by the amendment to operate honeynet security consoles and monitor its users. Except in cases where the private body is an agent of government.
Therefore it must be ascertained whether the organization in question is subject to the amendment; if it is an entity of government. For instance, owing to their research value, academics and students may be attracted to the area of honeynet deployment in order to study the results. Honeynets developed and deployed in connection to public universities risk the application of the fourth amendment rules to its monitoring. If the honeynets are deployed solely for the purpose of monitoring the activities of intruders, then it doesn’t violate the law as intruders do not have a reasonable expectation of privacy, but if its scope of monitoring extend beyond intruders, then the law might take effect.
CONCLUSION
In conclusion, the bottom line with honeynets as they affect any legal issue is that before Honeynets are designed and deployed for any company or organization, be it large, small or medium enterprise, it is imperative to consult the lawyers of that organization, so that he/she can provide the necessary guidance. The counsel should take into consideration the particular situation as well as the goals and the Laws and regulation of the state that applies to the organisation so as to identify potential problems and the requisite solutions.
REFERENCES
[1] The Honeynet Project (2004), Know your enemy: Learning about security threats, 2nd Edition, Chapter 8
[2] Singh, G and Kaur P. (2014). Honeypots deployment strategies and legal issues. International Journal of Advanced Technology in Engineering and Science. 02 (08), p210-216.
[3] Nelson B, Phillips A and Steuart C (2008), A Guide to computer forensics and investigation, 3rd Edition
[4] Baumann, R. and Plattner, C. (2002), White Paper: Honeypots, Swiss Federal Institute of Technology, Zurich.
[5] Gubbels, K. (2002), Hands in the Honeypot GIAC Security Essentials Certification (GSEC).
[6] www.USconstitution.net