June 21, 2010 at 11:33 pm #5242satish.lxParticipant
Ron has configured his network to provide strong perimeter security. As part of his network architecture,
he has included a host that is fully
exposed to attack. The system is on the public side of the demilitarized zone, unprotected by a firewall or
filtering router. What would you call such a host?
What is the answer of this question ? and why ?
June 22, 2010 at 12:01 am #33248BillVParticipant
edit: I stand corrected, The answer should be D) Bastion Host
There is not enough information to clearly say it is a honeypot, but a system placed in the position described would be a bastion host. Reference wherever this question came from, as their definition of either should give you the proper answer
Ron has configure a network with strong perimeter security and included a system that is exposed to attack.
EC-Council definition of a honeypot:
Honeypots are computers or virtual appliances, setup up as vulnerable systems, designed to detect, deflect, or in some manner counteract attempts by unauthorized individuals to penetrate a network system. This preventive measure is used to learn the language of attackers and other intruders, and to adopt security measures in keeping with their intrusion tools and techniques. The goal of setting up a honeypot is to divert an attack to a softer target and allow that system to be probed, attacked, and potentially exploited. By having honeypots on the network an administrator can gain enormous amounts of information about how a malicious hacker can gain access to systems. Security improvements can occur by knowing the tools that intruders use. This data allows system administrators to build countermeasures against these activities. 
It’s not a DMZ host, because it’s not in the DMZ. It’s not a DWZ host, because.. well, what is a DWZ? It’s possible that it could be a bastion host (and you could argue that a honeypost is a sub-category of a bastion host) but the question doesn’t make reference to the system in question being hardened. It says it is left unprotected and exposed, thus leaving us with a honeypot.
June 23, 2010 at 3:10 pm #33249AnonymousParticipant
I would say Bastion Host. The question mentions nothing on making the machine vulnerable to lure attackers, so I would not say it would be a honeypot. A bastion host is supposed to be a hardened system with increased exposure.
ok, I answer from the safe side cos I remember this question (I think it was in Gregg’s Prep Exam Guide). I had also answered “honeypot”. But it was wrong.
And I agreed. Because other than its exposure, nothing else indicates it being a honeypot. In general, it is a rather misleading question.
June 23, 2010 at 6:07 pm #33250geekyoneParticipant
I agree the question is very misleading. On first reading it I agreed with BillV but after a thorough reading I think Hordakk is right and the correct answer is Bastion Host. Since the question doesn’t really say it is designed to lure in attackers (although that could be implied in the “fully exposed” statement).
However having said that I know BillV is heavily involved with EC-Council and the CEH. I would probably take his answer as more in line with EC-Council thinking. After all, as anyone who has taken the CISSP will agree with me, it isn’t always the right answer it is the answer they want.
June 23, 2010 at 8:01 pm #33251BillVParticipant
I agree, it is a goofy question. It’s obviously one of the two and there’s not enough information to clearly say what it is.
As you’ve pointed out, you’d expect it to say something about luring in an attack (and thus it’d be a honeypot) or being hardened (bastion host).
You both are probably right. Bastion host is probably a better answer in this case. I jumped too quickly :-[ I just looked for a quick answer in the CEH books I had nearby and couldn’t find any reference to a bastion host for some reason, but I did see the quoted stuff about a honeypot. If this came from the Gregg book, then it’s most likely from the v4 courseware.
June 24, 2010 at 9:33 am #33252j0rDyParticipant
giving the material provided by EC-council, i would go for honeypot. As far as i can remember, the term bastion host is never mentioned in the course materials, so it would be a weird correct answer giving the above fact? i also trip over the sentence: he has included a host that is fully exposed to attack. this clearly states a honeypot, but additional information like: the behaviour of the server is closely monitored or something.
- You must be logged in to reply to this topic.