> > Still, it's the only way that we can get done what we need. I'm fairly > > reserved to the fact that it isn't going to be accepted this way (I was > > actually fairly surprised when initially it was said that supporting > > honeypots would be something we should shoot for), > > What I actually said was that I guessed the weird need was for honeypots, and > that honeypots is a legitimate security goal, which is a bit different from > "LSM should shoot for it." Sorry for the paraphrasing. > Now, I see the value of honeypots as a research tool, and the Honeynet Project > http://project.honeynet.org/ in particular seems to be gathering valuable > data. However, I disbelieve that honeypots are an important thing to deploy > widely. I think it's a bad idea to deploy a honeypot on a production network > that you're actually trying to protect. Having done a fairly extensive amount of work on Honeypots over the last year, I would tend to disagree with this. There are honeypots, certainly, that are weakened up and deployed by just plugging them in, no security measures enforced. However, with a decent amount of firewall to protect yourself from the honeypot, they can be a wonderful security tool. One of the major problems with IDS systems is the number of false positives. A honeypot has no buisness being addressed by legitimate users, so running a (hidden) tcpdump on it and sending alerts whenever it actually sees any traffic addressed to it makes it a fairly accurate detector of bad things happening to your network. Which is not to say that every network should have one. But the benefits that honeypots provide in terms of education and diversion of attackers, in addition to alerting like I just mentioned, certainly make it a field that is going to become more and more popular in the years ahead. David Wagner has suggested an approach which would make my particular honeypot (which has it's own unique quirks, certainly) function within the LSM framework. It would be somewhat invasive, but if it can provide functionality to support honeypots while we are mostly focusing on products like SELinux, then I'd say that's probably about as general as it is going to get. > LSM is all about enabling the wide deployment of security enhancements: things > that lots of people will want to use. LSM lowers the "barrier to entry" by > allowing a module to load into a stock kernel, rather than having to manually > patch & build a kernel, which may be too much for some busy/clueless people to > bother with. Which is good, certainly. I would love to see a bit of a shift towards secure-mindedness, and if LSM provides that and not functionality for honeypots, I'll still take that as a win. -Titus _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sat Jun 23 2001 - 19:16:32 PDT