Re: Know your enemy, Virtual Honeynets, Yet more information

From: Benjamin Robson (ben@robson.ph)
Date: 08/21/02 

Date: 21 Aug 2002 05:46:19 -0000
From: Benjamin Robson <ben@robson.ph>
To: focus-ids@securityfocus.com
('binary' encoding is not supported, stored as-is) In-Reply-To: <Pine.LNX.4.44.0208201310380.26371-100000@marge.spitzner.net>

Lance,

Ok I need to clarify something here.

Great I am pleased to see that the "Honeynet Project" advocates the
correct considerations prior to deployment of a honeypot(net) system(s).

My comments are not so much targeted at any particular system or group.

The point I am trying to make is that there are LOTS of security
professionals out there today that claim if you don't have a firewall and
IDS, a honeypot and a blender (in extreme cases), then you just aren't
secure. They are advocating such systems where they are just not
appropriate.

*sigh* If only security professionals weren't so precious about these
things, and a little more responsive to the real-world (at least as real-
world as managers get), then the market as a whole might be a little more
receptive to the security case.

My overall comment intended to say that the security professionals of the
world need to get down from their nice clean offices, and in to the
trenches a bit more with the poor systems administrators who are the ones
facing the real world scenarios. They are not called in on a case-by-
case basis, nor do they get to just sit around playing with new "funky"
security technology. They need things that are quick to deploy, easy to
understand, and improve their workload, not make it worse.

Ben

>> I feel strongly that security professionals need to get down off their
>> soap-boxes (at least one foot off) and stop advocating the need to
deploy
>> every security technique that comes along. We need to advocate
>> appropriate solutions, for the appropriate environment, for the
>> appropriate level of expertise and resourcing available.
>
>*sigh*, if Benjamin had only read the referenced Honeynet paper, like
>the Virtual Honeynet paper asked him to.
>
> http://www.honeynet.org/papers/honeynet/
>
> "Last, Honeynets will not solve your security problems. We highly
recommend that organizations focus on best practices first, such as
strong authentication, use of encrypted protocols, reviewing system logs,
and secure system builds. By prioritizing on proper policies and
procedures, organizations can greatly reduce risk. Honeynets do not
reduce risk, they most likely increase it. If your organization is
interested in the detection or deception capabilities of honeypots, then
we recommend you review the honeypot whitepaper and products discussed at
the beginning of this article. Honeynets are a honeypot designed
primarily for research, to gather information on the enemy. They will not
fix your unsecured server, nor fix bad process or procedures."