Low-cost, low-fuss honeypots are highly effective early-warning systems against external attacks and insider threats; KFSensor, HoneyPoint, and Honeyd offer safety, ease, and flexibility
Intrusion detection is a complex business. Whether you deploy an intrusion detection system (IDS), or you collect and analyze the computer and device logs on your network, identifying malicious traffic in a sea of legitimate activity can be both difficult and time consuming.
A honeypot makes identifying malicious traffic dead simple. That's because any traffic to a honeypot, after some initial quick tuning to rule out false positives, is suspicious. A honeypot is a fake computer asset that exists only to alert its owner if it is touched. Nobody should be touching it or attempting to log on. Because all activity is illegitimate, no analysis is needed to tell good traffic from bad. The only question is, how dangerous is the intruder?
As a longtime security professional (and author of the book "Honeypots for Windows"), I've maintained eight different honeypots on the Internet to track hacker and malware behavior. I was able to watch as Internet malware evolved from script-kiddie viruses to professional crimeware. I was able to see and learn about bank account stealing Trojans long before they were well known in the security world, and I've seen carders (credit-card-dealing thieves) operate firsthand.
More important, I've seen the impact of honeypots in the corporate environment, where they shine as basic early-warning systems. I've seen honeypots on a corporate LAN catch foreign industrial spies, snare trusted insiders gone bad, and alert security teams to the presence of a roving malware program that had gone unseen. In nearly 10 years of deploying honeypots, I've yet to create one that didn't find something malicious within a few days of being installed.
In short, when used as early-warning systems, honeypots are low cost, low noise, and low maintenance, yet highly effective at drawing attention to threats in the network environment. They belong in any defense-in-depth program.
With this recommendation in mind, I reviewed three available honeypot software solutions: Keyfocus' KFSensor, MicroSolved's HoneyPoint Security Server, and free open source Honeyd. I tested all three honeypots in a closed lab environment, running them inside of virtual machines hosted by Windows Server 2008 R2's Hyper-V. KFSensor and HoneyPoint were run on Windows 7 Enterprise, and Honeyd was run on Ubuntu 9.1. Attack probes were simulated using Nessus 4.2.2, BackTrack 4 tools, and manual connections from remote physical machines on the same private LAN. All host-based firewalls were disabled, and User Account Control (UAC) was disabled on the Windows computers, because of the likelihood they would thwart various attacks and probes that might otherwise succeed.
Ease of use (20.0%)
Logging, alerting, and reporting (25.0%)
Overall Score (100%)
|HoneyPoint Security Server 3.00||7.0||7.0||7.0||8.0|
Windows 7 is suddenly telling users it isn't genuine -- and it has nothing to do with Windows being...
Windows users are reporting significant problems with four more October Black Tuesday patches
The larger design is very welcome, but there's much more to the iPhone 6 than a bigger screen
Sponsored by Rackspace
Sponsored by Nuage Networks
Sponsored by Fibre Channel Industry Association
More control over video, pluggable languages, stronger microformats -- here’s where W3C should steer...
The Appery.io online mobile development platform crosses categories, but support for native apps and...
In its debut, the Aurelia modular framework enables customization and accommodates the latest...
Hortonworks launches a comprehensive three-point plan to shore up data governance in Hadoop