What Is A Mixed Economy? Benefits of Mixed Economy

What Is A Mixed Economy? Benefits of Mixed Economy The most current economies offer a blend of two or more budgetary frameworks. People in general part works nearby the private segment, however may seek the same constrained assets. Blended budgetary frameworks dont hinder the private part from benefit looking for, yet do screen benefit levels and may nationalize organizations that are regarded to go against general society great. Blended monetary frameworks are not free enterprise frameworks: the administration is included in arranging the utilization of assets and can push control over organizations in the private part. Governments may try to redistribute riches by burdened the private part, and utilizing stores from charges to push social destinations. While free enterprise permits costs to be set by supply and interest strengths and communism fixes costs through focal arranging, blended budgetary frameworks take into consideration costs in a few areas to change, while altering different costs, for example, vitality. Discuss whether a mixed economic system is able to take care of the welfare of the citizens in general. Include two country examples to support your discussion. The first country example to support my discussion is American is a paragon of a mixed economy system. The American free endeavor framework underscores private possession. Private organizations transform most merchandise and administrations, and very nearly two-thirds of the countrys aggregate budgetary yield goes to people for particular utilize the purchaser part is so incredible, indeed, that the country is some of the time portrayed as having a buyer economy. This accentuation on private proprietorship emerges, to some degree, from American convictions about individual opportunity. From the time the country was made, Americans have dreaded extreme government force, and they have looked to farthest point governments power over people incorporating its part in the financial domain. Also, Americans for the most part accept that an economy described by private proprietorship is liable to work more effectively than unified with generous government possession. At the point when financial powers are free, Americans accept, supply and interest focus the costs of merchandise and administrations. Costs, thus, advise organizations what to prepare; if individuals need to a greater extent a specific great than the economy is generating, the cost of the great ascents. That gets the consideration of new or different organizations that, sensing a chance to acquire benefits, begin preparing a greater amount of that great. Then again, if individuals need less of the great, costs fall and less aggressive makers either go bankrupt or begin transforming diverse products. Such a framework is known as a business sector economy. A communist economy, conversely, is described by more government proprietorship and focal arranging. Most Americans are persuaded that communist economies are characteristically less proficient in light of the fact that administration, which depends on duty incomes, is far more outlandish than private organizations to regard value s igns or to feel the control forced by business sector strengths Nowadays, pretty much everyone in America has made their peace with the blended economy. Granted, you may have the capacity to discover a honest libertarian out there some place who genuinely accepts that the administration ought to assume no part at all in financial life. Also you may even have the capacity to find an extremist comrade, some old lefty sticking to the disparaged long for a charge economy controlled by the autocracy of the working class. However those gentlemen are a long distance on the periphery. Whatever is left of us live in a world in which the blended economy appears to be superbly ordinary People practice a lot of particular control over their budgetary lives; most transactions happen in a commercial center that is moderately free. The soul of the countrys financial life is found in the private segment. Be that as it may the administration likewise assumes a critical part in the economy also. It officials the commercial center and through a mixture of measures impacts the courses in which assets are designated and circulated. Second country that supports my discussion is Malaysia is economy system mixed economy system. The Malaysia investment exercises completed by two gatherings, the first is a gathering of business people who do creation exercises of merchandise and administrations requested by Malaysians and in addition for fares. In the meantime the administration has done budgetary exercises in giving open merchandise like ways, schools, wellbeing and others. Plus the state-claimed organizations, for example, Khazanah Berhad, is likewise heartily included in financial exercises. In the meantime the legislature does monetary exercises focused around Islamic financial framework, in particular by giving Islamic managing an account framework. In any case, the Islamic keeping money framework in Malaysia is little contrasted and the accepted managing an account framework. In Malaysia, The value instrument is permitted to work however in a few cases the value component fizzles or works against open investment. The administration can help the specialists concurring the legislature enactment and regulation and business are not just incorporated the vender, that is incorporated the purchaser, the legislature additionally need to help the buyer as verify that the shopper are fulfill or concur that the costs of products and administrations gave by the dealer. Thus, we discuss value component. Value system is wide of assorted types of approach to adjust the purchaser and vender through value proportioning, value apportioning is imply that the conveyance of merchandise and administrations utilizing market and cost. Because of the lack of assets, value apportioning was required as needs and needs are boundless however the assets are constrained, for the contending utilize the accessible merchandise and administrations must be apportioned out. So as to verify that those purchasers eager and ready to pay the value, markets apportion stock by constraining the buy just is likewise required. Plus that, value component is additionally portraying the cost of products and administrations focused around the interest and supply. Be that as it may in a few cases the value system comes up short or works against open premium, for example, the purchaser are not capable and not eager to use the cash to buy the products and administrations because of the vender are put the cost are not been fulfill by the lions share of customer and the dealer dont conform to the value component worked by the legislature. Since the lack and surplus happen in the business, the legislature have obligation to defeat these issues. Along these lines, the maker of the merchandise and administrations will raise the cost to procure more benefit. Moreover, when the business confronted deficiency, there are such a large amount of burdens to the shopper. For instance, a cell telephone organization was dispatch a just took the ribbon off new cellular telephone, this cell telephone was made by cutting edge engineering. Tragically, the cost of the cellular telephone is very costly. After propelled to the business sector a time of time, the supply dont take care of the demand of the buyer as the customer not eager to use that much cash to buy that cellular telephone. In this way, the maker will decrease the cost of the cell telephone to take care of the demand of the shopper. In this circumstance, the administration needs to utilize different approaches to revise the imperfections. In this way, the duty installment for the family unit and organizations will be reasonable to them and the organization ready to set the cost of the item and administrations as indicated by the interest on account of the assessment installment are been balanced by ascertain the salary in every certain time of time or the organizations can set the item and administrations in low cost as the expense installment was decreased. Conclusion The legislature ought to intercede the economy by the right way, rectify the deformities by utilizing suitable results, conquer the economy issue by well and deal with the account by sound. It is on the grounds that Malaysia and American is a blended economy framework, the legislature need to mediate it by professionally and consider it important, if not, there will some negative evidence will happen, for example, supplier and purchaser disappointment, open behavior exhibit due to the cost of every day needs of products expand by abruptly etc. At the point when confronting surplus or deficiencies in the business, government may make fitting move to alter the circumstances.

Growing and Expanding Sandwich Blitz Essay

Creating a new position between the CEO and the location managers will help the business to grow because this newly created role will help to clear up time for Dalman to focus on the other aspects of his position. Since he is spending so much time on talking with location managers, other portions of Sandwich Blitz, Inc. could be suffering from it. Not only that, but adding in the factor that he is just one person makes is clear that a new level in management would help with growing the other managers into the best managers possible. Promoting an existing manger is a good option to fill this position as they are already very familiar with the organization. With the added benefit of having the experience of working in the role as manager to give them a better understanding and insight into what issues and problems can be found within a location. However, for promoting an existing manager, I believe that there are advantages and disadvantages with promoting an existing manager to fill this position. If you promote one of the store managers, you gain the advantage of someone who is already familiar with the day to day operations. But you lose them as your location manager. If you hire someone who didn’t already work at Sandwich Blitz, this person may not be familiar with the product line, but they could introduce new management ideas into the organization. New ideas could help the organization run more efficiently. Furthermore, when it comes to decision making, I think managers should stick with tactical decisions, owners board of directors should stick to strategic decisions and employees should stick to operational decisions. With strategic decisions, these affect the long-term direction of the business eg whether to take over Company A or Company B. Tactical Decisions, these are medium-term decisions about how to implement strategy eg what kind of marketing to have, or how many extra staff to recruit. To add Operational Decisions, these are short-term decisions (also called administrative decisions) about how to implement the tactics eg which firm to use to make deliveries. To conclude, the levels of authority (management) that Sandwich Blitz, Inc. would have if the new position is created, would be line authority gives a manager the right to direct the work of his or her employees and make many decisions without consulting others. Staff authority supports line authority by advising, servicing, and assisting, but this type of authority is typically limited. For example, the assistant to the department head has staff authority because he or she acts as an extension of that authority. These assistants can give advice and suggestions, but they don’t have to be obeyed. Functional authority is delegated to an individual or department over specific activities undertaken by personnel in other departments.

Motor Vehicle Safety Laws and Public Health Essay

â€Å"The U. S. Congress responded with the National Highway Traffic and Motor Vehicle Safety Act and the Highway Safety Act of 1966, creating a new federal program to address motor vehicle safety† (Waller, para. 5). This act allows the federal government to implement laws regarding motor vehicle safety. This act created the National Highway Traffic Safety Administration (NHTSA). William Haddon, public health physician, was the first director of the NHTSA. He was the first to set safety standard for motor vehicles and the first to administer programs for driver’s licensing, impaired driving from alcohol, motorcycle safety and etc. Federal Motor Vehicle Safety Standards are applied to new motor vehicle. â€Å"Legislation enacted in 1966 requires the federal government to establish safety standards for new motor vehicles sold in the United States, whether of domestic or foreign manufacture† (Waller, para. 16). These standards have prevented people from getting seriously injured during a motor vehicle accident. FMVSS, including softer instrument panels, head restraints, energy absorbing steering columns, and high penetration-resistant windshields, have saved thousands of lives and prevented tens of thousands of injuries† (Waller, para. 17). FMVSS also requires safety belts and child safety seats meet certain safety standards. State Laws Every state is required by law to follow the federal government’s standards. Most states have additional safety standards and programs regarding motor vehicle safety. The state of Maryland follows federal motor vehicle safety standards, as well as, their own safety standards. As of last year, Maryland set a new standard of no texting and talking on cell phones while driving, even at red lights. â€Å"Texting and talking on a cell phone while driving is illegal in Maryland; it is not safe for anyone and it can be especially dangerous for teens† (Young, para. 1). Texting and talking on cell phones while driving can become a huge distraction for drivers and has caused a lot of accidents. Maryland also has standards for unattended children in a motor vehicle. Every child that is unattended in a motor vehicle, especially during extreme hot and cold conditions, can get seriously injured which is why it is illegal. Legislative Laws These laws, federal and state, fall under legislative laws. Legislative laws are first called bills that are enacted by Congress, General Assembly and the President. For federal laws, the bill has to be passed through the U. S Congress and then signed by the President. Fore state laws, the bill has to be passed through the General Assembly and then signed by the State’s Governor. The U. S Congress can veto the President’s decision if the majority of Congress agrees. The same thing goes to the General Assembly. If the General Assembly disagrees with the Governor’s decision then the majority of the General Assembly can veto his decisions. For Motor Vehicle Safety, each state has to follow federal laws but they can pass their own laws to prevent motor vehicle injuries. State laws cannot contradict with federal laws. Most motor vehicle accidents occur from impairment driving from alcohol, recklessness and inexperienced. Public health is preventing people from injuries and diseases. With the help of these laws, there will be fewer motor vehicle accidents which will cause fewer injuries and deaths. â€Å"The reduction of the rate of death attributable to motor-vehicle crashes in the United States represents the successful public health response to a great technologic advance of the 20th century† (Centers of Disease Control and Prevention, para. 1). Every standard that is regulated is there to prevent motor vehicle accidents from occurring. â€Å"In 1966, passage of the Highway Safety Act and the National Traffic and Motor Vehicle Safety Act authorized the federal government to set and regulate standards for motor vehicles and highways, a mechanism necessary for effective prevention† (Centers for Disease Control and Prevention, para. 3). Every new vehicle is designed to protect people from serious injuries when involved in an accident. Relating to Public Health Every year, the amount of motor vehicle deaths has decreased. Reductions in motor vehicle injury and death represent a major public health success† (Waller, para. 1). Motor vehicle accidents are still one of the largest causes of deaths in the United States. â€Å"Traffic crashes are identified as the ninth leading cause of death worldwide, and it is estimated that by the year 2020 traffic crashes will be the third largest cause of death and disability in the world† (Waller, para. 3). With setting more safety standards, motor vehicle accidents can decrease if everyone follows these standards. Preventing injuries from motor vehicle accidents will save many lives. â€Å"The record of motor vehicle injury prevention nevertheless represents a major success in public health in the United States† (Waller, para. 4). The estimation of motor vehicle accidents being the third cause of death and disability by 2020 can change by then if more safety standards and programs are issued. Federal and State Government It can take a lot to prevent motor vehicle accidents but if all standards are regulated then fewer motor vehicle accidents will happen. State and local governments have enacted and enforced laws that affect motor-vehicle and highway safety, driver licensing and testing, vehicle inspections, and traffic regulations† (Centers for Disease Control and Prevention, para. 5). The federal and state government should continue to play a role in preventing motor vehicle accidents. If the federal and state government does not play a role in motor vehicle safety then there will be more injuries from accidents. The only reason why there has been a reduction in motor vehicle accidents is because of the standards regulated by federal and state governments.

Honeypot and Honeynet - Free Essay Example

Sample details Pages: 31 Words: 9337 Downloads: 4 Date added: 2017/06/26 Category Information Systems Essay Type Narrative essay Topics: Network Essay Did you like this example? Chapter 1 Introduction Honeynet is a kind of a network security tool, most of the network security tools we have are passive in nature for example Firewalls and IDS. They have the dynamic database of available rules and signatures and they operate on these rules. That is why anomaly detection is limited only to the set of available rules. Don’t waste time! Our writers will create an original "Honeypot and Honeynet" essay for you Create order Any activity that is not in alignment with the given rules and signatures goes under the radar undetected. Honeypots by design allows you to take the initiative, and trap those bad guys (hackers). This system has no production value, with no authorized activity. Any interaction with the honeypot is considered malicious in intent. The combination of honeypots is honeynet. Basically honeypots or honeynets do not solve the security problem but provide information and knowledge that help the system administrator to enhance the overall security of his network and systems. This knowledge can act as an Intrusion detection system and used as input for any early warning systems. Over the years researchers have successfully isolated and identified verity of worms exploits using honeypots and honeynets. Honeynets extend the concept of a single honeypot to a highly controlled network of honeypots. A honeynet is a specialized network architecture cond in a way to achieve Data Control, Data Ca pture Data Collection. This architecture builds a controlled network that one can control and monitor all kind of system and network activity. 1.1 Information Security Information Security is the protection of all sensitive information, electronic or otherwise, which is owned by an individual or an organization. It deals with the preservation of the confidentiality, integrity and availability of information. It protects information of organizations from all kinds of threats to ensure business continuity, minimize business damage and maximize the return on investment and business opportunities. Information stored is highly confidential and not for public viewing. Through information security we protect its availability, privacy and integrity. Information is one of most important assets of financial institutions. Fortification of information assets is essential to ascertain and maintain trust between the financial institution and its customers, maintain compliance with the law, and protect the reputation of the institution. Timely and reliable information is compulsory to process transactions and support financial institution and customer decisi ons. A financial institutions earnings and capital can be adversely affected, if information becomes known to unauthorized parties is distorted or is not available when it is needed [15]. 1.2 Network Security It is the protection of networks and its services from any unauthorized access. It includes the confidentiality and integrity of all data passing through the network. It also includes the security of all Network devices and all information assets connected to a network as well as protection against all kind of known and unknown attacks. The ITU-T Security Architecture for Open System Interconnection (OSI) document X.800 and RFC 2828 are the standard documentation defining security services. X.800 divides the security services into 5 categories and 14 specific services which can be summarized as Table 1.1 OSI X.800 Summary[8] â€Å"1. AUTHENTICATION The assurance that the communicating entity is the one that it claims to be. Peer Entity Authentication Used in association with a logical connection to provide confidence in the identity of the entities connected. Data Origin Authentication In a connectionless transfer, provides assurance that the source of received data is as claimed. 2. ACCESS CONTROL The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do). 3. DATA CONFIDENTIALITY The protection of data from unauthorized disclosure. Connection Confidentiality The protection of all user data on a connection. Connectionless Confidentiality The protection of all user data in a single data block Selective-Field Confidentiality The confidentiality of selected fields within the user data on a connection or in a single data block. Traffic Flow Confidentiality The protection of the information that might be derived from observation of traffic flows. 4. DATA INTEGRITY The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay). Connection Integrity with Recovery Provides for the integrity of all user data on a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted. Connection Integrity without Recovery As above, but provides only detection without recovery. Selective-Field Connection Integrity Provides for the integrity of selected fields within the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed. Connectionless Integrity Provides for the integrity of a single connectionless data block and may take the form of detection of data modification. Additionally, a limited form of replay detection may be provided. Selective-Field Connection less Integrity Provides for the integrity of selected fields within a single connectionless data block; takes the form of determination of whether the selected fields have been modified. 5. NONREPUDIATION Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication. Nonrepudiation, Origin Proof that the message was sent by the specified party. Nonrepudiation, Destination Proof that the message was received by the specified party.† [1] [8], [9], 1.3 The Security Problem System security personnel fighting an unending battle to secure their digital assets against the ever increasing attacks, verity of attacks and their intensity is increasing day by day. Most of the attacks are detected after the exploitations so there should be awareness of the threats and vulnerabilities that exist in the Internet today. First we have to understand that we cannot say that there exists a perfect secure machine or network because the closest we can get to an absolute secure machine is that we unplugged the network cable and power supply and put that machine in to a safe. Unfortunately it is not useful in that state. We cannot achieve perfect security and perfect access at the same time. We can only increase the no of doors but we cannot put wall instead of doors. In field of security we need to find the vulnerably and exploits before they affect us. Honeypot and honeynet provides a valuable tool to collect information about the behavior of attackers in order to d esign and implement better defense. In the field of security it is important to note that we cannot simply state that what is the best type of firewall? Absolute security and absolute access are the two chief points. Absolute security and absolute access are inverse to each other. If we increase the security access will be decrease. There should be balance between absolute security and absolute defense, access is given without compromising the security. If we compare it to our daily lives we observe not much difference. We are continuously making decisions regarding what risks we are ready to take. When we step out of our homes we are taking a risk. As we get into a car and drive to our work place there is a risk associated with it too. There is a possibility that something might happen on the highway which will make us a part of an accident. When we fly and sit on an airplane we are willing to undergo the level of risk which is at par with the heavy amount we are paying for t his convenience. It is observed that many people think differently about what an acceptable risk would be and in majority cases they do go beyond this thinking. For instance if I am sitting upstairs in my room and have to go to work, I wont take a jump straight out of the window. It might be a faster way but the danger of doing so and the injury I would have to face is much greater than the convenience. It is vital for every organization to decide that between the two opposite poles of total security and total access where they need to place themselves. It is necessary for a policy to articulate this system and then further explain the way it will be enforced with which practices and ways. Everything that is done under the name of security must strictly agree to the policy. 1.4 Types of Hacker Hackers are generally divide into two major categories. 1.4.1 Black Hats Black hat hackers are the biggest threat both internal and external to the IT infrastructure of any organization, as they are consistently challenging the security of applications and services. They are also called crackers, These are the persons who specialize in unauthorized infiltration. There could be Varity of reasons for this type of penetration it could be for profit, for enjoyment, or for political motivations or as a part of a social cause. Such infiltration often involves modification / destruction of data. 1.4.2 White Hats White hat hackers are similar to black hat hackers but there is a important difference that is white hat hackers do it without any criminal intention. Different companies all around the world hire/contact these kinds of persons to test their systems and softwares. They check how secure these systems are and point out any fault they found. These hackers, also known as ethical hackers, These are the persons or security experts who are specialize in penetration testing. These types of people are also known as tiger teams. These experts may use different types of methods and techniques to carry out their tests, including social engineering tactics, use of hacking tools, and attempts to bypass security to gain entry into protected areas, but they do this only to find weaknesses in the system[8]. 1.5 Types of Attacks There are many types of attacks that can be categorized under 2 major categories Active Attacks Passive Attacks 1.5.1 Active Attacks Active attacks involve the attacker taking the offensive and directing malicious packets towards its victims in order to gain illegitimate access of the target machine such as by performing exhaustive user password combinations as in brute-force attacks. Or by exploiting remote local vulnerabilities in services and applications that are termed as holes. Other types of attacks include Masquerading attack when attacker pretends to be a different entity. Attacker user fake Identity of some legitimate user. Replay attack In Replay attack, attacker captures data and retransmits it to produce an unauthorized effect. It is a kind of man in middle attack. Modification attack In this type of attack integrity of the message is compromise. Message or file is modified by the attacker to achieve his malicious goals. Denial of service (DOS)attack In DOS attack an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer. TCP ICMP scanning is also a form of active attacks in which the attackers exploit the way protocols are designed to respond. e.g. ping of death, sync attacks etc. In all types of active attacks the attacker creates noise over the network and transmits packets making it possible to detect and trace the attacker. Depending on the skill level, it has been observed that the skill full attackers usually attack their victims from proxy destinations that they have victimized earlier. 1.5.2 Passive Attacks Passive attacks involve the attacker being able to intercept, collect monitor any transmission sent by their victims. Thus, eavesdropping on their victim and in the process being able to listen in to their victims or targets communications. Passive attacks are very specialized types of attacks which are aimed at obtaining information that is being transmitted over secure and insecure channels. Since the attacker does not create any noise or minimal noise on the network so it is very difficult to detect and identify them. Passive attacks can be divided into 2 main types, the release of message content and traffic analysis. Release of message content It involves protecting message content from getting in hands of unauthorized users during transmission. This can be as basic as a message delivered via a telephone conversation, instant messenger chat, email or a file. Traffic analysis It involves techniques used by attackers to retrieve the actual message from encrypted interc epted messages of their victims. Encryption provides a means to mask the contents of a message using mathematical formulas and thus make them unreadable. The original message can only be retrieved by a reverse process called decryption. This cryptographic system is often based on a key or a password as input from the user. With traffic analysis the attacker can passively observe patterns, trends, frequencies and lengths of messages to guess the key or retrieve the original message by various cryptanalysis systems. Chapter 2 Honeypot and Honeynet 2.1 Honeypot Is a system, or part of a system, deliberately made to invite an intruder or system cracker. Honeypots have additional functionality and intrusion detection systems built into them for the collection of valuable information on the intruders. The era of virtualization had its impact on security and honeypots, the community responded, marked by the fine efforts of Niels Provos (founder of honeyd) Thorsten Holz for their masterpiece book â€Å"Virtual Honeypots From Botnet Tracking to Intrusion Detection† in 2007. 2.2 Types of Honeypots Honeypots can be categorized into 2 main types based on Level of interaction Deployment. 2.2.1 Level of interaction Level of interaction determines the amount of functionality a honeypot provides. 2.2.1.1 Low-interaction Honeypot Low-interaction honey pots are limited in the extent of their interaction with the attacker. They are generally emulator of the services and operating systems. 2.2.1.2 High interaction Honeypot High-interaction honeypots are complex solution they involve with the deployment of real operating systems and applications. High interaction honeypots capture extensive amount of information by allowing attacker to interact with the real systems. 2.2.2 Deployment Based on deployment honeypot may be classified as Production Honeypots Research Honeypots 2.2.2.1 Production Honeypots Production honeypots are honeypots that are placed within the production networks for the purpose of detection. They extend the capabilities of the intrusion detection systems. These type of honeypots are developed and cond to integrate with the organizations infrastructure and scope. They are usually implemented as low-interaction honeypots but implementation may vary depending on the available funding and expertise required by the organization. Production honeypots can be placed within the application and authentication server subnets and can identify any attacks directed towards those subnets. Thus they can be used to identify both internal and external threats for an organization. These types of honeypots can also be used to detect malware propagation in the network caused by zero day exploits. Since IDSs detection is based on database signatures they fail to detect exploits that are not defined in their databases. This is where the honeypots out shine the Intrusion detectio n systems. They aid the system network administrators by providing network situational awareness. On basis of these results administrators can take decisions necessary to add or enhance security resources of the organization e.g. firewall, IDS and IPS etc. 2.2.2.1 Research Honeypots Research honeypots are deployed by network security researchers the whitehat hackers. Their primarily goal is to learn the tools, tactics techniques of the blackhat hackers by which they exploit computers network systems. These honeypots are deployed with the idea of allowing the attacker complete freedom and in the process learn his tactics from his movement within the system. Research honeypots help security researchers to isolate attacker tools they use to exploit systems. They are then carefully studied within a sand box environment to identify zero day exploits. Worms, Trojans and viruses propagating in the network can also be isolated and studied. The researchers then document their findings and share with system programmers, network and system administrators various system and anti-virus vendors. They provide the raw material for the rule engines of IDS, IPS and firewall system. Research Honeypots act as early warning systems. They are designed to detect and log maxim um information from attackers yet being stealthy enough not to let attackers identify them. The identity of the honeypot is crucial and we can conclude that the learning curve (from the attacker) is directly proportional to the stealthiest of thehoneypot .These types of honeypots are usually deployed at universities and by the RD departments of various organizations. These types of honeypots are usually deployed as High-Interaction honeypots. 2.3 Honeynet The concept of the honeypot is sometimes extended to a network of honeypots, known as a honeynet. In honeynet we grouped different types of honeypots with different operatrating systems which increases the probability of trapping an attacker. At the same time, a setting in which the attacker explores the honeynet through network connections between the various host systems provides additional prospects for monitoring the attack and revealing information about the intruder. The honeynet operator can also use the honeynet for training purposes, gaining valuable experience with attack strategies and digital forensics without endangering production systems. The Honeynet project is a non-profit research organization that provides tools for building and managing honeynets. The tools of the Honeynet project are designed for the latest generation of high interaction honeynets that require two separate networks. The honeypots reside on the first network, and the second network holds the tools for managing the honeynet. Between these tools (and facing the Internet) is a device known as the honeywall. The honeywall, which is actually a kind of gateway device, captures controls, and analyzes all inbound and outbound traffic to the honeypots[4]. It is a high-interaction honeypot designed to capture wide-range of information on threats. High-interaction means that a honeynet provides real systems, applications, and services for attackers to interact with, as opposed to low-interaction honeypots which provide emulated services and operating systems. It is through this extensive interaction we gain information on threats, both external and internal to an organization. What makes a honeynet different from most honeypots is that it is a network of real computers for attackers to interact with. These victim systems (honeypots within the honeynet) can be any type of system, service, or information you want to provide [14]. 2.4 Honeynet Data Management Data management consist of three process Data control, data capture and data collection. 2.4.1 Data Control Data control is the containment of activity within the honeynet. It determines the means through which the attackers activity can be restricted in a way to avoid damaging/abusing other systems/resources through the honeynet. This demands a great deal of planning as we require to give the attacker freedom in order to learn from his moves and at the same time not let our resources (honeypot+bandwidth) to be used to attack, damage and abuse other hosts on the same or different subnets. Careful measures are taken by the administrators of the honeynet to study and formulate a policy on attackers freedom versus containment and implement this in a way to achieve maximum data control and yet not be discovered or identified by the attacker as a honeypot. Security is a process and is implemented in layers, various mechanisms to achieve data control are available such as firewall, counting outbound connections, intrusion detection systems,intrusion prevention systems and bandwidth restriction etc. Depending on our requirements and risk thresholds defined we can implement data control mechanisms accordingly [4]. 2.4.2 Data Capture Data Capture involves the capturing, monitoring and logging of allthreats and attacker activities within the honeynet. Analysis of this captured data provides an insight on the tools, tactics, techniques and motives of the attackers. The concept is to achieve maximum logging capability at all nodes and hence log any kind of attackers interaction without the attacker knowing it. This type of stealthy logging is achieved by setting up tools and mechanisms on the honeypots to log all system activity and have network logging capability at the honeywall. Every bit of information is crucial in studying the attacker whether its a TCP port scan, remote and local exploit attempt, brute force attack, attack tool download by the haacker, various local commands run, any type of communication carried out over encrypted and unencrypted channels (mostly IRC) and any outbound connection attempt made by the attacker [25]. All of this should be logged successfully and sent over to a remote location to avoid any loss of data due to risk of system damage caused by attackers, such as data wipe out on disk etc. In order to avoid detection of this kind of activity from the attacker, data masking techniques such as encryption should be used. 2.4.3 Data Collection Once data is captured, it is securely sent to a centralized data collection point. Data is used for analysis and archiving which is collected from different honeynet sensors. Implementations may vary depending on the requirements of the organization, however latest implementations incorporate data collection at the honeywall gateway [19]. 2.5 Honeynet Architectures There are three honeynet architectures namely Generation I, Generation II and Generation III 2.5.1 Generation I Architecture Gen I Honeynet was developed in 1999 by the Honeynet Project. Its purpose was to capture attackers activity and give them the feeling of a real network. The architecture is simple with a firewall aided by IDS at front and honeypots placed behind it. This makes it detectable by attacker [7]. 2.5.2 Generation II III Architecture Gen II honeynets were first introduced in 2001 and Gen III honeynets was released in the end of 2004. Gen II honeynets were made in order to address the issues of Gen I honeynets. Gen II and Gen III honeynets have the same architecture. The only difference being improvements in deployment and management, in Gen III honeynets along with the addition of Sebek server built in the honeywall. Sebek is a stealthy capture tool installed on honeypots that capture and log all requests sent to the system read and write system call. This is very helpful in providing an insight on the attacker [7]. A radical change in architecture was brought about by the introduction of a single device that handles the data control and data capture mechanisms of the honeynet called the IDS Gateway or marketing-wise, the Honeywall. By making the architecture more â€Å"stealthy†, attackers are kept longer and thus more data is captured. There was also a major thrust in improving honeypot layer of dat a capture with the introduction of a new UNIX and Windows based data. 2.6 Virtual Honeynet Virtualization is a technology that allows running multiple virtual machines on a single physical machine. Each virtual machine can be an independent Operating system installation. This is achieved by sharing the physical machines resources such as CPU, Memory, Storage and peripherals through specialized software across multiple environments. Thus multiple virtual Operating systems can run concurrently on a single physical machine [4]. A virtual machine is specialized software that can run its own operating systems and applications as if it were a physical computer. It has its own CPU, RAM storage and peripherals managed by software that dynamically shares it with the physical hardware resources. Virtulization A virtual Honeynet is a solution that facilitates one to run a honeynet on a single computer. We use the term virtual because all the different operating systems placed in the honeynet have the appearance to be running on their own, independent computer. Network to a machine on the Honeynet may indicate a compromised enterprise system. CHAPTER 3 Design and Implementation Computer networks, connected to the Internet are vulnerable to a variety of exploits that can compromise their intended operations. Systems can be subject to Denial of Service Attacks, i-e preventing other computers to gain access for the desired service (e.g. web server) or prevent them from connecting to other computers on the Internet. They can also be subject to attacks that cause them to cease operations either temporarily or permanently. A hacker may be able to compromise a system and gain root access as if he is the system administrator. The number of exploits targeted against various platforms, operating systems, and applications increasing regularly. Most of vulnerabilities and attack methods are detected after the exploitations and cause big loses. Following are the main components of physical deployment of honeynet. First is the design of the Deployed Architecture. Then we installed SUN Virtual box as the Virtualization software. In this we virtually installed three O perating System two of them will work as honey pots and one Honeywall Roo 1.4 as Honeynet transparent Gateway. Snort and sebek are the part of honeywall roo operating system. Snort as IDS and Snort-Inline as IPS. Sebek as the Data Capture tool on the honeypot. The entire OS and honeywall functionality is installed on the system it formats all the previous data from the hard disk. The only purpose now of the CDROM is to install this functionality to the local hard drive. LiveCD could not be modified, so after installing it on the hard drive we can modify it according to our requirement. This approach help us to maintain the honeywall, allowing honeynet to use automated tools such asyumto keep packages current [31]. In the following table there is a summry of products with features installed in honeynet and hardware requirements. Current versions of the installed products are also mention in the table. Table 3.1 Project Summary Project Summary Feature Product Specifications Host Operating System Windows Server 2003 R2 HW Vendor HP Compaq DC 7700 ProcessorIntel(R) Pentium ® D CPU 3GHz RAM 2GB Storage 120GB NIC 1GB Ethernet controller (public IP ) Guest Operating System 1 Linux, Honeywall Roo 1.4 Single Processor Virtual Machine ( HONEYWALL ) RAM 512 MB Storage 10 GB NIC 1 100Mbps Bridged interface NIC 2 100Mbps host-only interface NIC 3 100Mbps Bridged interface (public IP ) Guest Operating System 2 Linux, Ubuntu 8.04 LTS (Hardy Heron) Single Processor Virtual Machine ( HONEYPOT ) RAM 256 MB Storage 10 GB NIC 100Mbps host-only vmnet (public IP ) Guest Operating System 3 Windows Server 2003 Single Processor Virtual Machine ( HONEYPOT ) RAM 256 MB Storage 10 GB NIC 100Mbps host-only vmnet (public IP ) Virtualization software SUN Virtual Box Version 3 Architecture Gen III Gen III implement ed as a virtual honeynet Honeywall Roo Roo 1.4 IDS Snort Snort 2.6.x IPS Snort_inline Snort_inline 2.6.1.5 Data Capture Tool (on honeypots) Sebek Sebek 3.2.0 Honeynet Project Online Tenure November 12, 2009 TO December 12, 2009 3.1 Deployed Architecture and Design 3.2 Windows Server 2003 as Host OS Usability and performance of virtualization softwares are very good on windows server 2003. Windows Server 2003is aserveroperating system produced byMicrosoft. it is considered by Microsoft to be the cornerstone of itsWindows Server Systemline of business server products. Windows Server 2003 is more scalable and delivers better performance than its predecessor,Windows 2000. 3.3 Ubuntu as Honeypot Determined to use free and open source software for this project, Linux was the natural choice to fill as the Host Operating System for our projects server. Ubuntu 8.04 was used as a linux based honeypot for our implementation. The concept was to setup an up-to-date Ubuntu server, cond with commonly used services such as SSH, FTP, Apache, MySQL and PHP and study attacks directed towards them on the internet. Ubuntu being the most widely used Linux desktop can prove to be a good platform to study zero day exploits. It also becomes a candidate for malware collection and a source to learn hacker tools being used on the internet. Ubuntu was successfully deployed as a virtual machine and setup in our honeynet with a host-only virtual Ethernet connection. The honeypot was made sweeter i.e. an interesting target for the attacker by setting up all services with default settings, for example SSH allowed password based connectivity from any IP on default port 22, users created were given pri vileges to install and run applications, Apache index.html page was made remotely accessible with default errors and banners, MySQL default port 1434 was accessible and outbound connections were allowed but limited [3]. Ubuntu is a computeroperating systembased on theDebianGNU/Linux distribution. It is named after theSouthern Africanethical ideology Ubuntu (humanity towards others)[5]and is distributed asfree and open source software. Ubuntu provides an up-to-date, stable operating system for the average user, with a strong focus onusabilityand ease of installation. Ubuntu focuses onusability andsecurity. The Ubiquity installer allows Ubuntu to be installed to the hard disk from within the Live CD environment, without the need for restarting the computer prior to installation. Ubuntu also emphasizesaccessibilityandinternationalization to reach as many people as possible [33]. Ubuntu comes installed with a wide range of software that includes OpenOffice, Firefox,Empathy (Pidgin in versions before 9.10), Transmission, GIMP, and several lightweight games (such as Sudoku and chess). Ubuntu allows networking ports to be closed using its firewall, with customized port selection available. End-users can install Gufw and keep it enabled. GNOME (the current default desktop) offers support for more than 46 languages. Ubuntu can also run many programs designed for Microsoft Windows (such as Microsoft Office), through Wine or using a Virtual Machine (such as VMware Workstation or VirtualBox). The use of Ubuntu as a honey pot here would be effective to trick the hacker into believing for the presence of enterprise level server. 3.4 Windows Server 2003 as Honeypot Windows Server 2003 is aserveroperating system produced byMicrosoft. it is considered by Microsoft to be the cornerstone of itsWindows Server Systemline of business server products. Windows Server 2003 is more scalable and delivers better performance than its predecessor,Windows 2000. We can run different type of sevices. FTP and SMTP services are running on this server. 3.5 Sun Virtual Box as Virtualization Software Virtualization software has greatly helped reduce expenses and total cost of ownership (TCO) for organizations on their IT infrastructure. This is achieved by setting up an entire farm of enterprise servers as virtual machines on a single physical machine. Organizations are now developing their own virtualization software and solutions, many of which are free and open source. A few notable names that we considered for deployment include VMware, User-Mode Linux, SUN Virtual Box, Xen, Qemu, Lugest and Linux-Vserver. We selected SUN Virtual Box because light use very less system resources as compare to others. 3.5.1 Installation Procedure SUN Virtual box supports various versions of windows as a host operating system. In addition, Windows Installer 1.1 or higher must be present on your system. This should be the case if you have all recent Windows updates installed. Performing the installation â€Å"The VirtualBox installation can be started either by double-clicking on its executable file (contains both 32- and 64-bit architectures) or by entering VirtualBox.exe -extract on the command line. This will extract both installers into a temporary directory in which youll then find the usual .MSI files. Then you can do a msiexec /i VirtualBox-version-MultiArch_x86|amd64.msi to perform the installation. In either case, this will display the installation welcome dialog and allow you to choose where to install VirtualBox to and which components to install. In addition to the VirtualBox application, the following components are available. Depending on your Windows configuration, you may see warnings about unsigned dri vers or similar. Please select Continue on these warnings as otherwise VirtualBox might not function correctly after installation. The installer will create a VirtualBox group in the programs startup folder which allows you to launch the application and access its documentation. With standard settings, VirtualBox will be installed for all users on the local system. In case this is not wanted, you have to invoke the installer by first extracting it by using VirtualBox.exe -extract and then do as follows VirtualBox.exe -msiparams ALLUSERS=2 or msiexec /i VirtualBox-version-MultiArch_x86|amd64.msi ALLUSERS=2 on the extracted .MSI files. This will install VirtualBox only for the current user.†[15] 3.6 Honeywall Roo Honeywall CDROMis a bootable CDROM it consist of all the tools and functionality required to create maintain and effetely analyze the third generation honeynet. The honeynet project has developed 2 version of the Honeywall CDROM. Honeywall Eyore and Honeywall Roo Released in May, 2005 based on Gen III architecture. (current version 1.4) Honeywall serves as a transparent gateway for the honeynet. It is this gateway that has to perform data capture, data control, data collection and data analysis functions in order to ensure successful operations of a honeynet. Being a transparent gateway, this node is completely undetectable by the attacker when they are interacting with the honeypots. The purpose of the Honeywall CDROM is to automate the installation and maintenance of a honeynet and provide data analysis support for all activity within the honeynet. Deploying Honeynets was a tough task as it involved advance configuration and integration of security tools. There was no stand ard honeynet development till 1999. Many small groups had their own implementation of Honeynets. The Honeynet Project has done remarkably well by developing a complete Honeywall distribution on a CDROM to deploy as an Operating system on disk and thus made Honeynets easy to deploy and manage. Honeywall was initially based on Fedora for quite some time as its base Operating System, but due to frequent updates going on in fedora it is now based on CentOS. This gives freedom to install operating system specific applications using standard package managers like RPM [31]. Honeywall has evolved over the years. Previous version, Eyore had limited features and control. Roo, the advanced version has vastly improved hardware support, administration capabilities, and data analysis functionality. Thus the system is now moving towards giving the administrator more flexibility and control over the operating system. Honeywall Roo comprises of many well known security tools incorporated into it [31]. Table: 3.1 Security Tools of Honeywall Security Tool Discription Snort Sniffer, IDS Hflow2 Data coalescing tool for honeynet data analysis. Snort_inline Sniffer, IPS P0f A Passive OS fingerprinting tool. P0f Tcpdump View Packet headers. Sebek Data capture tool. 3.6.1 Installation First we need to Start the Virtual box and boot it with Honeywall CDROM. Honeynet Project splash screen with Boot loader should appear. At this point the system will wait to let you interact with the installation process. If you press the Enter button, the system will begin the installation process after formatting the existing hard drive. After this installation is a fully automated process, and no need to interact with the installation from this point on. The installation process of Honeywall is very much like a standard Linux kick-start install. Involving following steps. Boot from Honeywall Roo CDROM For our implementation we booted our virtual machine off the Honeywall Roo 1.4 ISO. Choose install (press Enter) from boot menu to wipe out all free space on disk and install the OS on this space. The installation is a fully automated process and does not require any further user interaction. Once the installation process is complete it will eject the CDROM and boot into the new ly installed system [12]. After the system boots,your installation is completeand will be presented with a command line login prompt.Your hard drive now has a minimized and hardened linux operating system with Honeywall functionality. Now you can login and begin the configuration process.In honeywall there is two default system accounts,rooandroot. Both share the same default passwordhoney, which you will want to change right away. You cannot login asroot, so you will have to login asroothensu-. Honeywall Roo creates two default system user accounts roo (uid 501) and root (uid 0) Both these accounts are created with the default password â€Å"honey†. Root login is not allowed by default so one has to login as roo and then â€Å"su -† to root privileges [12]. Two methods can be used to con the Honeywall first is Dialog Menu interface and other is Honewall.conf configuration file 3.7 Maintaining the Honeywall After Honeywall is installed, key issue is to maintain it properly.The new Honeywall gives you three options for configuring and maintaining your installation. 3.7.1 Dialog Menu It is the classic interface to administering the Honeywall CDROM. The new version is very similar to the older one, except it has new features added. We have already cond our Honeywall using Dialog Menu in pervious steps. It can be loaded by typingmenuon shell. 3.7.2 HWCTL It is a powerful command line utility that allows you to con the system variables used by various programs, and the ability to start/start services. The advantage with this tool is you can simply modify the behavior of the system at the command line via local or SSH access. Following are some examples taken from man file [12]. Show all variables currently set with NAME = VALUE form (use -A if you dont want the spaces) # hwctl -a Just print on standard output the value of HwHOSTNAME # hwctl -n HwHOSTNAME Set all four connection rate limits and restart any services that depend on these variables # hwctl -r HwTCPRATE=20 HwUDPRATE=10 HwICMPRATE=30 HwOTHERRATE=10 Load a complete new set of variables from /etc/honeywall.conf and force a stop before changing values, and a start afterwards # hwctl -R -f /etc/honeywall.conf 3.7.3 Walleye It is the honeywall GUI web based interface. The honeywall runs a webserver that can be remotely connected to over a SSL connection on the management interface. This walleye interface allows the user to con and maintain the system using a simple point and click approach. It has an expanding menu making it easy to access and visualize all the information. It also comes with more in-depth explanations of the different options. It also has different roles, allowing organizations to control who can access what through the walleye interface depending on the role they have been assigned. The primary advantage ofWalleyeis its much easier to use then the other two options [7]. The disadvantage is it cannot be used locally, but requires a 3rd network interface on the honeywall used for remote connections. The web-based GUI currently supports almost all the browsers. Lets launch the browser and point it to management interface IP address,https//managementip/. Login withUser Name rooandPas sword honey. â€Å"This GUI allows the user to con and maintain the system using a simple point and click approach. It has an expanding menu making it easy to access and envisage all the information. The prime advantage ofWalleyeis that its much easier to use then the other two options. The disadvantage is it cannot be used locally, but requires a 3rd network interface on the honeywall used for remote connections. The web-based GUI currently supports either Internet Explorer or Firefox browsers† [31]. Following screen shots shows the Snort Alert on walleye Interface. 3.8 Honeywall Email Alerts Any activity on our honeypots INBOUND or OUTBOUND if detected, an email alert will automatically be generated by server to the administrator. Honeywall also sends an automated detailed report at the end of the day to the system administrator. Cond email ID for walleye email alert is [email  protected]/* */ Honeywall has the builtin SMTP server to send mails. SampleEmail outbound alert Oct 28 043217 wall kernel OUTBOUND UDP IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=192.168.142.155 DST=224.0.0.251 LEN=204 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=184 3.9 Snort as IDS and Snort-Inline as IPS Snort is integrated with honeywall and runs in inline mode to provide realtime Intrusion detection with the current updated database of signatures available on snorts website. Snortis afreeandopen sourcenetwork intrusion prevention system(NIPS) andnetwork intrusion detection system (NIDS)capable of performingpacketlogging and real-timetraffic analysisonIPnetworks. It is the most widely used IDS/IDP technology worldwide. Combining the benefits of signature, protocol and anomaly based inspection. Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect a variety of attacks and probes, such asbuffer overflows, stealthport scans, web application attacks,SMBprobes, andOS fingerprintingattempts, amongst other features. The software is mostly used forintrusion preventionpurposes, by dropping attacks as they are taking place. Snort can be combined with other free software such assguil,OSSIM, and the Basic Analysis and Se curity Engine (BASE) to provide a visual representation of intrusion data [10]. Snort is integrated with honeywall and runs in inline mode to provide realtime Intrusion Detection with the current updated database of signatures available on snorts website.Snort may be used in a variety of ways, including as a packet sniffer, packet logger, or an intrusion detection system (IDS). With the ability to use rulesets to monitor IP packets, Snort is an excellent choice for administrators responsible for security on small- to medium-sized networks. 3.9.2 Experiences with Snort A random attacker on the internet scans the entire class C of 10.10.10.* and our servers are hosted on the same IP range. What will happen when our honeywall detects such attempts? It will send an email alert to the administrator and it will log all data and protocols and ports information including source and destination ip. Following is the screen shoots, a preview of how the logs will look like if viewed from the walleye web interface. SNORT alerts in CLI of Honeywall, we can manage snort alerts from the walleye GUI interface and also from the command line interface of honeywall. 3.10 Sebek as data capture tool Sebek is the most advanced and complex honeynet data capture tool. It is an open-source tool whose purpose is to capture from a honeypot as much information as possible of the attackers activities by intercepting specific system calls (syscalls) at the kernel level. Sebek is based on a client-server architecture. The client is installed on the honeypots and the server is typically deployed on the Honeywall, that is, the honeynet gateway all the traffic entering and leaving the honeynet passes through. The Sebek client component uses techniques similar to those used by kernel-based rootkits. Sebek is implemented in the form of a Linux Kernel Module (LKM) on Linux, as an OS kernel driver on Windows, and as a kernel patch on the various *BSD operating systems. The server module contains user-level tools that allow to gather and display the information captured and exported by the Sebek clients. [18] 3.10.1 Sebeks new capabilities Sniffing network traffic has long been the traditional way of inspecting the actions performed by an attacker remotely accessing a compromised resource. However, this is not possible if the attacker is protecting his communication channel through encryption and the key used is unknown. The first Sebek version intercepted all read kernel syscalls with a length of one byte, which is what allows one to get the keystrokes typed by the honeypot intruder before they are encrypted, including the commands executed or the passwords used. This initial Sebek data capture functionality was later improved in version 2 to capture all read data. This second version also allows to recover entire files copied with SCP or complete IRC and mail messages. Sebek version 3 extends this functionality by intercepting a new set of system calls. Additionally, it retrieves the parent process id (PPID) and the inode associated with any file-related event. These two fields will be added for each Sebek re cord. Apart from intercepting the standard read syscall, the new version hijacks additional read syscalls, the socket syscall, the open syscall, and the fork and clone syscalls. The following descriptions use the Linux version as a reference. The same ideas also apply to the Windows version [26]. 3.10.2 Sebek Architecture The client collects the data from the Honeypot and exports it to the network. The server collects from one of two sources live packet capture from the network or packet capture archive stored as a tcpdumpn formatted file. The client resides entirely in the Honeypot kernel space and records all user data accessed via a system read() call. 3.10.3 Client Module Hiding As Sebek works entirely in kernel space due to this functionality most of the rootkit techniques does not apply. Hiding the existence of the module is a direct benefit. A second module, the cleaner, is also installed it manipulates the linked list of installed module to remove Sebek. This is not completely robust, Users can no longer see that Sebek is installed and users are unable to rmmod the Sebek module [26]. 3.11 Making Honeynet Undetectable for hackers The possibility of an attacker being able to detect a honeynet or honeypot is directly related to its its configuration that, how the honeynet administrator cond it. Since honeynet transparency, the inability for an attacker to detect it, is one of the important goal of a honeynet. 3.11.1 Virtulization Honeynet is deployed as a high interaction honeynet its very difficult to detect its honeypot because it has complete Operating system for hacker to interact with and all the services are running and all the ports are open and closed according to our requirements similar to production system. Some hackers can detect that this Operating system is running on virtualization software , but this is no prove that it is honeypot or honeynet because now a days most of the organizations are using virtualization in their production environment. Virtualization has greatly helped reduce expenses and total cost for organizations on their IT infrastructure. This is achieved by setting up an entire farm of enterprise servers as virtual machines on a single physical machine. Organizations are now developing their own virtualization software and solutions, many of which are free and open source. 3.11.2 IP Address Scheming IP address scheme used is identical to production environment. That is it used the same IP pool on which most of the production system are running. So hacker cannot detect that which system is honeypot and which is not because It has used the public IP pool of production servers and most of the legitimate services are running on these IP pools. From hands on research with honeynets most of the honeynet detection are probabilistic in nature, hacker sometime can predict that It could be honeynet but they cannot prove it. All the online existing data and technical means to detect honeynet will not work on current configuration and its very difficult to detect. Amount of attacks coming on deployed honeynet shows that this honeynet architecture is undetectable for most of the hackers. Chapter 4 Results and Statistics 4.1 Attack Statistics Port Scanningis one the most widely used reconnaissance techniques used by attackers to find out the services running on the system. All types of machines connected to internet and LAN runs many services that listen to different types of ports. Attacker sends a message on different ports, one at a time and gets the response. From this response attacker find outs whether the port is open and then probe further for weakness. Post Scan is kind of ringing the door bell to check whether someones is at home or not. It is not consider a crime but we should not ignore it. We should investigate the person why he is ringing the bell without any reason. Attacks came from verity of IPs from different countries all around the world. Most to the attackers use brute force to gain the access. It is observed that defense mechanism is getting better, different sophisticated tools and techniques are applied by organizations to protect their assets but attackers are also getting smarter in beating the defense mechanism and diversifying their range of threat options. Attackers often attempt to clean their tracks by launching attacks from different locations and from more than one servers and those servers could be located anywhere in the world. This means that attacker is not located in the country from where attack seems to be launched. We have analyzed attacks targeting to honeynet over a period of 30 days (September 12th to October 12th) and documented them as Attacked/Probed ports and services. Attacker IPs. Attackers Country of Origin. 4.2 Attacked Ports and Services We have taken the sample of attacked ports and services. It has been observed that out of total of 19562 probed ports and services, 13504 were targeted at SSH. This indicates the attackers focus on brute force means of gaining access to the server. This is followed by high activity on IRC ports indicating botnet activity. Table 4.1 Probed Ports their frequency Port Discription Frequency Port Discription Frequency 8 Unassigned 50 3259 epncdp2 3 22 SSH 1793 3283 net-assistant 13 43 WHOIS 67 3411 biolink-auth 2 53 DNS 141 5353 mdns 1 69 TFTP 3 6667 IRC 77 80 HTTP 58 14354 RootKit comm 15 135 epmap 36 20268 RootKit comm 3 137 netbios-ns 18 31337 RootKit comm 1 138 netbios-dgm 3 34611 RootKit comm 2 443 https 17 38111 RootKit comm 6 445 microsoft-ds 70 43495 RootKit comm 1 1101 sebek 103 53100 RootKit comm 1 1412 innosys 6 56594 RootKit comm 8 1700 mps-raft 7 56981 RootKit comm 1 2457 rapido-ip 3 60372 RootKit comm 1 Chart 4.1 Pie chart of Probed Ports Public IP addresses are controlled by worldwide registrars, and are unique globally. Port numbers are not so controlled, but over the decades certain ports have become standard for certain services. The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned numbers. The port numbers are divided into three ranges: Well Known Ports (0 1023) Registered Ports (1024 49151) Dynamic and/or Private Ports (49152 65535) Well-Known Ports Ports numbered 0 to 1023 are considered well known (also called standard ports) and are assigned to services by the IANA (Internet Assigned Numbers Authority)[17]. Here are a few samples: echo 7/tcp Echo ftp-data 20/udp File Transfer [Default Data] ftp 21/tcp File Transfer [Control] ssh 22/tcp SSH Remote Login Protocol telnet 23/tcp Telnet domain 53/udp Domain Name Server www-http 80/tcp World Wide Web HTTP Almost 70 percent of the attacks launched at port 22 SSH port and after that port 53 DNS port. In below mentioned chart port 22 SSH port is excluded. Chart 4.2 Pie chart of Probed Ports (Exluding port 22) 4.3 Attacker IPs During its 30 day tenure the honeypot received 22711 attacks from 421 unique IPs. A great amount of these attacks originated from Europe and China. Table 4.2 Attack IPs their origin IP Frequency Country IP Frequency Country 218.30.22.82 3011 CN 80.31.189.175 45 ES 122.225.100.154 1378 CN 69.191.193.47 342 US 60.190.49.243 986 CN 58.218.182.18 518 CN 219.149.53.239 566 CN 125.244.77.67 981 KR 116.71.215.104 1231 PK 82.99.173.51 432 CZ 119.153.3.25 451 PK 140.130.99 45 TW 212.252.124.15 381 CN 125.244.77.34 23 KR 218.75.95.244 768 CN 194.1.9.21 12 SK 218.23.37.51 23 CN 78.111.82.127 9 RU 122.225.100.154 221 CN 218.75.172.38 544 CN 219.149.53.239 12 CN 61.178.91.48 970 CN 195.234.184.111 76 BE 210.188.201.198 322 JP 122.160.23.228 781 IN 2 01.238.235.25 7 CL 59.103.3.169 389 PK 87.62.49.128 37 DK 203.99.163.156 12 PK 204.11.236.213 21 US 189.104.241.232 76 BR 122.160.207.28 91 IN 203.99.163.153 211 PK 207.182.34.45 561 US 151.21.107.21 34 IT 69.73.208.59 32 GD 78.13.99.15 3 IT 218.23.107.51 12 CN 84.221.56.205 691 IT 125.244.147.67 9 KR 208.69.36.11 2217 US 207.10.34.112 376 US In above mentioned PIE graph we selected 20 IPs from different countries with their attack frequencies. China has one of highest total for malicious activities, it could be due to the fact that the china has the most broadband users in the world. More you spent time online the longer your system exposed and more chances that your system will get attacked or compromised. In above mentioned PIE graph we selected 20 IP from different countries with their attack frequencies. 4.4 Attackers Country of Origin 545 unique attacker IP addresses were identified originating from 61 countries across the globe. Out of these 61 countries the highest number of attacks came from China and Europe followed by the US. This proportion also stands for the highest attack frequencies. Table 4.3 Top 20 Attack Frequency vs Country Country Frequency BE 76 BR 76 CL 7 CN 9390 CZ 432 DK 37 ES 45 GD 32 IN 872 IT 728 JP 322 KR 1013 PK 2294 RU 9 SK 12 TW 45 US 3517 Grand Total 18907 4.4.1 No of Attackers IP per Country Table 4.4 Number of attack IPs vs Country Country # of IP CN 68 PK 14 BE 1 BR 1 IT 2 US 43 ES 2 KR 35 CZ 1 TW 21 SK 1 RU 4 JP 13 CL 1 DK 9 IN 23 GD 1 ZA 1 VN 1 AU 2 RO 5 AW 1 NL 3 TR 1 PL 5 Chapter 5 Conclusion 5.1 Overview Success of a honeynet lies in the number of users (attackers) try to access it, honeynets dont have any production value so any interaction with honeypots is suspicious. Information gathered through honeynet will raise the awareness of different types of treats present on internet. Now a days many organization dont realize that they are targeted and who is attacking them and why. Honeynet help us to understand the attacks and basic measures we can take to prevent these threats. It also help us to improve our defense mechanism and secure ways to defend our resources. Through honeynet we can able to know the 0 days attacks, without effecting our production systems. Focus should be done on the attacks initiating from your own enterprise network. These types attacks can do more damage to your own network. Enterprise administrator should take immediate notice of these types of attacks as these attacks indicate machines that have already been compromised within the network. 5.2 Achievements The deployed honeynet has provided the extensive information on different types of attacks, it also helped us to detect the internal (LAN) compromised systems which tying to communicate with honeypot through different types of rootkits. It has been observed that within the period of 30 days out of total of 19562 probed ports and services, 13504 were targeted at SSH. This shows the attackers focus on brute force for gaining access to the server. It also help us to know most common ports used for attacks and through this information we can enforce different types of policies on external firewalls and also block the open unused ports on different servers. It is concluded that most of the attacks are coming from China but more successful attacks are coming from Europe. 5.3 Future Work Keeping in view the existing features of detection mechanism, its working may be enhanced and it can be made more effective in the future by enhancing its capability by increasing the no of honeypots with the functionality of different type of services like DNS, Webhosting and FTP servers etc. Detailed Forensic analysis of attacks can help us to understand working of botnets and identification of different new 0 day attacks. Centralized data sharing, could be a website www.mschoneynetproject.com.pk, where all the information gathered through honeynet is shared with MCS security related students. So they can get realtime information of different latest attacks and understand the attack methodology. References [1] Spitzner.L (2002). Honeypots Tracking Hackers. US Addison Wesley. 1-430. [2] Stoll, C. The Cuckoos Egg Tracking a Spy Through the Maze of Computer Espionage. Pocket Books,New York, 1990 [3] Automated deployments of Ubuntu By Nick Barcet September 2008  © Copyright Canonical 2008 [4] The Honeynet Project http//project.honeynet.org [5] CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess Control Service http//www.cert.org/advisories/CA-2001-31.html [6] Provos, N and Holz, T (July 26, 2007). Virtual Honeypots From Botnet Tracking to Intrusion Detection. US Addison-Wesley Professional. [7] Talabis, R. (2005). The Gen II Gen III Honeynet Architecture. Available http//www.philippinehoneynet.org/index2.php? Last accessed June, 2008. [8] William Stallings, â€Å"Cryptography and Network Security Principles and Practices†, Third Edition, Prentice Hall, 2003. [9] Security architecture for open systems interconnection for CCITT applications, ITU-T, Study Group VII Data Communications Networks, 1991 [10] Snort user manual 2.8.3 , www.snort.org [11] Know Your Enemy Sebek, A kernel based data capture tool,The Honeynet Project, http//www.honeynet.org, Last Modified 17 November 2003 [12] Shuja, F. (October, 2006). Virtual Honeynet Deploying Honeywall using VMware Available http//www.honeynet.pk/honeywall/index.htm. Last accessed June, 2008. [13] Robert McGrew, Rayford B. Vaughn, JR. Experiences With Honeypot Systems Development,Deployment, and Analysis. Proceedings of the 39th Hawaii International Conference on System Sciences 2006. [14] Levine.J, LaBella.R, Owen.H, Contis.D, Culver.B. (2003). The Use of Honeynets to Detect Exploited Systems. Proceedings of the 2003 IEEE [15] http//www.securityfocus.com/print/infocus/1855 [16] http//wiki.virtualbox.org/page/User_Guide/Installation/Windows [17] https://www.auditmypc.com/freescan/readingroom/port_scanning.asp [18] Know Your Enemy Sebek A kernel based data capture tool. Honeynet Project (The). 21 April 2004 www.honeynet.org/papers/sebek.pdf [19] Know Your Enemy: Honeynets What a honeynet is, its value, overview of how it works, and risk/issues involved. honeynet Project https://www.honeynet.org Last Modified: 31 May, 2006 [20] Honeynet Learning Discovering IT Security- MARK RYAN DEL MORAL TALABIS Phillipine Honeynet Project Manila, Phillipines [email  protected]/* */ [21] Development and Implementation of the Honeynet on a University Owned Subnet Erin L. Johnson, John M. Koenig, Dr. Paul Wagner (Faculty Mentor) [22] A Virtual Honeypot Framework Niels Provos_ Google, Inc. [email  protected]/* */ [23] Towards a Third Generation Data Capture Architecture for Honeynets Edward Balas and Camilo Viecco Advanced Network Management Lab Indiana University [24] Evaluation and Demonstration of the Usage of a Virtual Honeynet for Monitoring and Recording Online Attacks Rajiv J. C. Ponweera1, Ravindra Koggalage2, [25] Kn ow Your Enemy: GenII Honeynets Easier to deploy, harder to detect, safer to maintain. Honeynet Project https://www.honeynet.org Last Modified: 12 May,2005 [26] Know Your Enemy Sebek A kernel based data capture tool The Honeynet Project http//www.honeynet.org Last Modified 17 November 2003 [27] http//www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf [28] Improving Network Security With Honeypots Christian Doring. July, 2005. Thesis. [German Honeyent Project] [29] Sebek 3: tracking the attackers, part one Raul Siles, GSE 2006-01-16 [30] Honeynet Learning Applying problem and case-based approach in IT security education through the use of honeynets. Publication in the ACM InRoads journal in June 2006. [Phillipine Honeynet Project] [31] Know Your Enemy: Honeywall CDROM Roo 3rd Generation Technology Honeynet Project Research Alliance https://www.honeynet.org Last Modified: 17 August,2005