Page 481 - StudyBook.pdf
P. 481

Topologies and IDS • Chapter 7  465


                 Figure 7.14 A Honeypot in Use to Keep Attackers from Affecting Critical
                 Production Servers

                                  Attacker spends all of their time attacking the honeypot because it looks
                                  like a poorly configured and insecure production server.

                            The Internet
                             and DMZs


                                                                      Honeypot


                                                                        The honeypot provides
                                                                        alerts to the network
                                                                        administrator so they can
                                                                        take defensive measures as
                                                                        desired to stop or monitor
                                          Production Server  Production Server  the attack.
                                        The production servers continue operating without being
                                        affected by the attempted attack.

                             The honeypot only appears to be a critical production server. However, it is running a special IDS package
                             that can intelligently respond to the attacker, track the attackers actions, and keep the attacker engaged while
                             important attack information is being collected. The attack signature that is collected can be used later to prevent
                             attacks of the same sort from actually succeeding against real servers. In most cases, the attacker never knows
                             the difference between the honeypot and a real server and thus makes no lasting damage to the network itself.


                   Walking the Line Between Opportunity and Entrapment
               Notes from the Underground…
                   Most law enforcement officers are aware of the fine line they must walk
                   when setting up a “sting”—an operation in which police officers pretend
                   to be victims or participants in crime, with the goal of getting criminal
                   suspects to commit an illegal act in their presence. Most states have laws
                   that prohibit entrapment; that is, law enforcement officers are not
                   allowed to cause a person to commit a crime and then arrest him or her
                   for doing it. Entrapment is a defense to prosecution; if the accused
                   person can show at trial that he or she was entrapped, the result must be
                   an acquittal.
                        Courts have traditionally held, however, that providing a  mere
                   opportunity for a criminal to commit a crime does not constitute entrap-
                   ment. To entrap involves using persuasion, duress, or other undue pres-
                   sure to force someone to commit a crime that the person would not
                   otherwise have committed. Under this holding, setting up a honeypot or
                   honeynet would be like the (perfectly legitimate) police tactic of placing
                   an abandoned automobile by the side of the road and watching it to see
                   if anyone attempts to burglarize, vandalize, or steal it. It should also be
                                                                                        Continued

                                                                              www.syngress.com
   476   477   478   479   480   481   482   483   484   485   486