The Statue of Liberty: Utilizing Active Honeypots for Hosting Potentially Malicious Events presented at BlackhatUSA 2006

by Philip Trainor,

Summary : The premise of the demonstration is there are no secure systems. Traffic that may have malicious intent, but has not yet caused problems in any published occurrences, may reach protected services and clients after passing through edge equipment and inline IPS devices. This traffic should be sent to closely-monitored virtual machines hosting mirrors of the real services that are segregated from the primary services on the network. These virtual hosts will be the service utilized by certain types of network traffic that may have malicious intent. The purpose of sending potentially malicious traffic to the virtual services is to gain insight into the nature of the potential attack and spare the real services, thus creating an improved risk management model for the deployment of network services that are exposed to the possibility of attack scenarios. However, it is probable that in most cases, the traffic will cause no harm to the virtual system and allow the remote user access to a most likely minimal version of the service.
The discussion will not be technical to the point where coding techniques are discussed. The premise will entail fitting the demonstrated project into an existing network security topology and a demonstration of an attack that foils current security, reaches the virtual services, and compromises the virtual services while the main services are not taken down. Knowledge of common network security practices and basic security auditing techniques are a prerequisite.