http://www.oaklandtribune.com/Stories/0,1413,82~1865~1776530,00.html By Ian Hoffman STAFF WRITER November 19, 2003 Instead of merely fending off thousands of daily computer attacks, federal researchers are trying a new tack: Create a meaningless digital universe to bog down hackers and study their tactics. It's called a "honeynet," and while the idea isn't exactly new, branches of the U.S. defense community are starting to embrace the idea. "If I can detect and delay someone until I can get a (law-enforcement) response to where they are, then I don't need to build four-foot-thick bunkers to keep them out," said Barry V. Hess, co-manager of cybersecurity for Sandia National Laboratories. Network-security experts at Sandia's California campus in Livermore are experimenting with such a mirage this week in Phoenix. Their charge is protecting a supercomputing conference touted as the most data-rich public gathering in the world, handling the wired and wireless equivalent of more than 30,000 cable modems -- all without a main firewall. It adds up to a vigorous road test for Sandia's honeynet, especially with new breeds of supercomputers and video-conferencing systems tying online almost every day of the conference. "The door is wide open," said Tim Toole, a Sandia network architect working security for SC2003. "If someone wants to, they can knock at the door of Booth 31's supercomputer and they can walk right in." First an attacker has to identify the target machine. Automated worms and viruses get screened by the virtual network. Human attackers probe deeper and find an improbably large universe of computers. Unlike honeypots -- machines or software mimicking a vulnerable computer operating system -- a honeynet is a bogus network, a cyber-verse that has no purpose except to distract hackers from a real network and record their actions in a system where they can't do much harm. That's the fascination of honeypots and honeynets, said honeypot builder Niels Provos, a security researcher for Google and member of the Honeynet Project, a loose-knit group of security experts looking at the technology. "You'd like people who are in the business of attacking networks to tell you their knowledge," Provos said. "So you put honeypots out there." Honeypots already have fingered computer vulnerabilities, helped trace the black market in credit-card numbers and shown promise at filtering spam. Honeynets give researchers a glimpse at the vast flow of pings, probes and illicit traffic. In a typical day, for example, Sandia-California's unclassified computer network is hit by roughly 100,000 worms and 100 to 200 attack attempts. The lab's classified computer network, which contains nuclear weapons data, defense and intelligence information, is considered relatively secure. By law, it is "air-gapped" from outside connections, except for a limited number of government links protected by encryption approved by the National Security Agency. But the unclassified network still contains proprietary business and personnel information worth protecting. "The ultimate goal is to deter them from your real computer system and delay them on a fictitious system so you have more time to figure out who they are and what they're after," Toole said. "We can feed them a little good information, a little bad information. We can use it as an educational tool to figure out their mentality. We want to see if we can go after the black hats." Experts say the growing federal interest in honeynets doesn't presage the end of firewalls, intrusion-detection systems and other cybersecurity tools. "It's not a silver bullet, and it certainly doesn't replace the need for other forms of computer security," said Dorothy Denning, a professor of defense analysis at the Naval Postgraduate School's Center for Terrorism and Irregular Warfare in Monterey. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Nov 21 2003 - 02:14:15 PST