Comparison between real and virtual honeypot Technologies

Source: net130

In recent years, few people have denied that information security has become the most serious problem facing network administrators. The Administrator must spend a lot of time ensuring that his network has installed the latest security patches and _ blank "> firewall, and the intrusion detection system can also record all suspicious activities. Unfortunately, the current _ blank "> firewall and intrusion detection systems are no longer as effective as they were before, because with the increase of network security factors, _ blank "> the log Content of firewalls and intrusion detection systems is also growing, and even some systems have a daily log volume of 1 GB. In this world, enterprises no longer have enough manpower to process such a large amount of logs every day.

I am not saying that _ blank "> firewall logs and Intrusion Detection System reports are of no value. In fact, they did perform their respective tasks seriously. However, when you see such a large amount of information and reports, and most of them are unintentional scans that do not pose a threat to the system, you will be frustrated. Is there really no better security defense method?

Honeypot solves the problem of excessive information

In some ways, honeypot may be a better method. There are two types of Honeypot: real and virtual, which are the bait of intruders. The concept of Honeypot came from years ago when network administrators wanted a way to find out who was exploring the network. There is a famous saying that "if you don't know what you do, unless you do not know what you do", if someone is exploring the network, as long as he sends data out, it will be noticed. Therefore, some people have used this principle to establish a bait system in the network, which can send packets related to Windows Network Services from time to time, and after the hackers who listen to the network obtain the packets, more information about the bait system will be determined through DNS queries. Once the DNS query is complete, the host name and IP address that sends the query, including the query time, will be recorded.

As this technology was proposed earlier, the bait system or honeypots developed very rapidly. Up to now, many companies have been able to provide a variety of honeypot solutions. If you are concerned about network security, the honeypot system will indeed benefit you a lot. But before applying the honeypot system, you need to make a choice between the real honeypot or virtual honeypot.

Real vs virtual

For real or virtual honeypot options, you need to consider risks and returns. Virtual honeypot is cheap, but it also has certain security risks. It is not as good as a real honeypot in capturing hackers. On the other hand, although the real honeypot is much better than the virtual honeypot in terms of intrusion detection, the top hackers may use the real honeypot to take over your network.

Advantages of virtual honeypot

The virtual honeypot is a simulation program. For example, a virtual honeypot can simulate an FTP server, monitor all TCP and UDP ports, and record the activity of all ports. When a hacker finds this fake FTP (which he does not know), he tries to open an FTP conversation. In this case, the virtual FTP Server (Virtual honeypot) records all the activities of the hacker. For example, honeypot records which port is used and which authentication mechanism is used. The virtual FTP server responds to hacker behaviors like the real FTP server. Better yet, because it is a virtual FTP server and does not have a real operating system, even if Hackers break into FTP, they will not further control other computers in your network.

Theoretically, this method is quite good. It is safe to use and can capture a large amount of useful information. For example, if you obtain the hacker's logon credential, you can find out which account is under attack, so that you can make corresponding remedial actions. However, all of its advantages are the same.

Disadvantages of virtual honeypot

For the virtual honeypot, there are two major shortcomings. First, it can only fool those novice hackers. Remember that the virtual honeypot does not have a real operating system support (some solutions are embedded with simple Windows or Linux ). Therefore, experienced hackers may find that many commands do not work on this host. This will make him immediately know that he is only accessing an honeypot, not a real server.

Another disadvantage of the virtual honeypot is that it records a limited range of information. For example, if a virtual honeypot is disguised as an FTP server, it can only obtain FTP-related information. Of course, most of the virtual honeypot can also obtain port scanning and other basic attack information. However, what if a hacker uses the IPv6 port to send encrypted information? Because the virtual honeypot function is limited, it cannot record such problems. In short, virtual honeypot can detect and record known attack types, but it is useless for new attacks.

Advantages of real honeypot

A real honeypot is a bait system composed of one or more real systems. Because it is a real system with an operating system, it responds to hacker operations in the same way as other hosts on the network. This has both advantages and disadvantages. The advantage is that it is almost impossible for hackers to notice that they have entered a trap rather than a real practical network. In fact, the only phenomenon that can make hackers suspect is that the imperfect honeypot networks have not taken any normal security update measures.

The biggest advantage of a real honeypot is its intrusion detection capability. The system assumes that any data sent to the honeypot network is malicious, so there is no need to worry about what new methods hackers will use instead of being captured by honeypot. All hacker operations will be recorded by real honeypot.

Disadvantages of real honeypot

The real honeypot is also insufficient. It may be conquered by senior hackers and become a stepping stone for attacking your normal network. To prevent this situation, you need to set up a firewall between the honeypot network and the normal network to block any data communication between the two. The more complex Linux honeypot has the function of preventing hackers from intruding into the normal network. For honeypot on Windows, there is no similar function yet.

Real is obviously better than virtual

In multiple environments, the real honeypot is more advantageous than the virtual honeypot. However, before you buy a real honeypot, you should understand its cost. In addition to purchasing machines, you also need to purchase the operating system and other software installed on the real honeypot. Finally, you need to prepare the real honeypot to be cracked by the top hackers.