Re: Gen I or Gen II

[Richard Stevens <mail () richardstevens de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 08 February 2003 18:18, george chamales wrote:
> What is the topic of your thesis and what sort of information are you
> looking to gather?  More specific information would help everyone
> better answer your question.

Basically in my thesis I'd like to relate the cost, value and risk involved 
with setting up a research honeynet. I have found a corporate partner who is 
sponsoring the effort. It's an ISP and telephone service provider. They'll 
provide me with some hardware, space to put the machines and network 
connectivity and some manpower in case I got problems or questions. There is 
no final decision on the types of honeypots yet, but there will be some 
systems similar to systems they have in production right now and a sensor for 
a new intrusion detection system that is going into production soon. Besides 
the obvious, checking out those systems in a very controlled environment, I'm 
interested in what information can be gained with such a setup, how much does 
it cost to set it up and maintain and what are the risks involved. That means 
that the honeynet itself is not really set up and configured to see, find or 
analyze a certain threat or type of threat but it should allow detection and 
analysis of a broad range of attacks/threats to get a better measurement of 
the potential value. I believe such a setup could be very interesting for 
ISPs, since it can provide an early warning facility, means to analyze 
certain threats after they happened with pure data without having to wade 
through the main firewall and ids logs and potentially even more. 

Right now I'm in the planning stage and the result should be the outside frame 
with data control, data capture and alert mechanisms in place. By the time 
that stage is completed, I'll probably have final decisions about the 
honeypots that are supposed to go in. Once I know the systems, I can plan the 
modifications needed to gain as much information as possible from the 
honeypots. The IDS sensor is for now just supposed to run along, mainly to 
compare the results between the findings of the honeynet infrastructure and 
that sensor. I'm not quite sure about the way that thing works yet, so maybe 
there is something else, one can do with it, for example check for attacks 
against the sensor and see how it reacts. 

I hope this gives a better overview about the goals and plans.


Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+RUQgWQvEMJfcXlQRAprRAJ0UQZ4US4/GrN83uZaZPucYc0wPpwCfS20O
Wf9J7dyJ86OzSugM1wG77Fs=
=uy0Z
-----END PGP SIGNATURE-----