Re: Intrusion Detection Systems, - Honeypots?

[Lance Spitzner <lance () honeynet org>]

On Thu, 27 Dec 2001, R. DuFresne wrote:

> Granted you go on to mention that in the detection realm they function to
> lower the false positive level and thus false alarms.  But, of the two
> examples of honeypots, BackOfficer is pretty specialized, SPECTER is
> listed specifically as an IDS. If a specific system or set of systems are
> not setup as honeypot servers in total, from the OS up, as in chroot'ed
> jails, this implies one has alot of specialised honeypot code, for each
> specific attack vector as in the first listed, BackOfficer, to setup and
> log from, this might well work to counter the simplicity of installation
> and deployment, does it not?

heh heh, I think we may be disagreeing on definitions, not technologies.
I personally feel SPECTER is a honeypot.  It is a resource who's value
lies in being probed, attacked, or compromised.  This is differnent from
an IDS sensor, the last thing you want is your IDS systems to be attacked.
SPECTER's purpose is the similar to IDS, the detection of attacks. However,
HOW it detects the attacks is different conceptually.

As for enterprise level deployments, you are absolutely correct,
few honeypot technologies are capable of enterprise solutions.  In
such a situation, they may require more work then they are worth.
However, honeyptos do have the advantage that the produce far less
data then most security technologies (firewalls, IDS, system logs)
so they are potentially easier to deploy and manage.

lance

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards