Integrated Production Server Honeypot

                     This is the research I have done for my post graduate studies. It's only an overview to get an idea to someone interest on this topic Honeypots. A honeypot is a server that is attached to the Internet. This server’s purpose is to attempt to attract potential hackers. Once the honeypot tracks a potential hacker it then studies it to find out how it is able to break into the systems. Honeypots are made to look attractive to potential hackers. The honeypot wants the hacker to partially break into its network in order for the honeypot to study the hacker. Most likely, the intruder will have no idea the honeypot is studying him or her. The majority of honeypots are installed inside a system’s firewall so that the honeypot can be properly managed.

Overview

                    As at present, compromising network security is an increasing problem for computer networks. It can be a major disaster for businesses and organizations relaying on their IT systems where a security incident will result in damage to the information assets. Hence, IT Departments of such organizations are exploring numerous possibilities in detecting and preventing these attacks. Out of many the Honeypot is one such technology which can be used to detect and prevent network based attacks.

                    Honeypot is a highly flexible tool with different applications on security. It does not fix single problem but instead can be used for multiple purposes, such as prevention, detection, or information gathering.

                   Generally, the honeypot is a computer within the network but which is placed isolated to the other servers. Usually a honeypot is used as bait. The intruder is compelled to detect the Honeypot and break into it. The Honeypot then specifies what the attacker will be able to perform. The attackers would then be attracted towards the Network. As a result, the vulnerability of the network grows with time.

Objectives

                      The main objective of this project is to keep the Honeypot inside the production server without degrading its performance in a persistent attack than without having it. To achieve this we have to perform following steps.  

1. To capture and gather traffic information of intruders (by tracking the movement) attracted to the network without causing any harm to data in the production server.
2. Simultaneously analyzing the information gathered.
3. Redirecting the intruder’s traffic according to the results of the analysis.
4. Eliminating intruders by the help of an IPS.

                         In this kind of scenario the intruder has to be given some level of freedom to use the functionalities and services of the production network. Subsequently by analyzing the traffic and the actions taken by the visitor, there is a possibility to decide whether he is an intruder and if so he can be redirected to the network’s Intrusion Prevention System (IPS) to eliminate the attack. In the methodology envisaged in this project where the honeypot is implemented inside the production server following issues were predicated:

1. The production server can get over loaded and as a result its performance may get degraded.
2. There is likelihood of network getting more vulnerable to attack since honeypot is implemented inside a production server.
3. What methodology to be taken to block a particular IP address once it has been identified to be belonged to an intruder.

The measures adopted in this study in order to resolve the issues are described below:

1. Proving that the degradation caused by an intruder is much more severe than the   performance degradation by honeypot being present in the production server. 
2. Proving that the intruder would be detected and prevented in a short period of time so that the damage caused to production server would be minimal. 
3. Various testing methodologies will be conducted in order to select the best method for blocking intruders.

                        So the above three points also can be consider as some of the miner objectives of my project. However, since my study involves research as well as implementation, I may have to try out various options in order to develop most efficient and appropriate method for tracking of attackers.