Intrusion detection honeypots simplify network security
Low-cost, low-fuss honeypots are highly effective early-warning systems against external attacks and insider threats; KFSensor, HoneyPoint, and Honeyd offer safety, ease, and flexibilityFollow @rogeragrimes
Note: A honeypot cannot bind to a port that the underlying host operating system has already bound to. For example, Windows-based honeypots cannot emulate NetBIOS services unless file and printer sharing have been disabled on the host and SMB/CIFS have been turned off. This is to be expected.
I have noted in the accompanying honeypot features table whether or not the honeypot came with a particular emulated service built-in, without needing additional software or scripts. For a low-interaction honeypot, the more services you can emulate the better. In a Windows shop, it's almost essential to cover all of the popular Microsoft applications and services -- that's what the attackers will be looking for. KFSensor comes with the most built-in services, followed by HoneyPoint. A broad range of open source emulation scripts are available for Honeyd, but only a few come preinstalled.
Network emulation. KFSensor and HoneyPoint don't have any network emulation features at all, relying completely on the host and host network for all routing. Honeyd has extensive network emulation, faking not only entire routing schemes (including routes, hops, latency, and packet loss) but also the network stack of each emulated OS. It can fool Nmap and Xprobe fingerprinting scans. A single instance of Honeyd can make it appear as if 100 different systems are operating across a wide range of virtualized IP addresses. No other honeypot product can match it.
It bears noting, however, that most attackers don't do network fingerprinting and analysis. They look for a port, find it, and quickly try to see what it's running -- just a little bit of discovery, if that. In a small percentage of cases the attacker will run a detailed fingerprinting tool (such as Nmap or Xprobe2), and in those cases network stack emulation is important. But in the vast majority of attacks, Honeyd's detailed network-level emulation and granular accuracy is overkill. For honeypot purists or honeypot admins trying to hide well, it is an essential feature. For most of the rest of us, it's unnecessary.
Alerting and logging. A honeypot is useless without strong alerting and logging. All honeypots display connection attempts as alerts, either on the sensor or on a centralized console. Alerts should allow criticality levels to be set for each sensor, origination IP address, port, and even intrusion signature. All probes to a honeypot should be investigated, though some probes are more suspicious than others. A probe originating from a more secure network might indicate a more serious compromise, for example. For this reason, a defense industry client with a honeypot on a nongovernment network wanted the highest priority set on traffic originating from a distant government network that was classified. The client wanted their incident response team to be alerted immediately if a probe originated from the more sensitive network. KFSensor provided the most versatility in setting criticality levels, followed by Honeyd and then HoneyPoint.
Most honeypots allow alerts to be sent via syslog, email, and Windows Event logs (if hosted on a Windows computer). All alerts should be logged to a local database, and bonus points were given if logs could also be saved to an external database, especially if the database supported was SQL-based. All three products reviewed allow you to throttle alert messages so that one probing event -- say, a port scan -- doesn't trigger thousands of emails to the on-call support person.
Most honeypot products allow current alerts to be used to fine-tune future alerts, typically to filter out legitimate traffic. Fine-tuning a honeypot can take a few days, but a good honeypot simplifies the process. KFSensor easily provided the most flexibility in refining alerts. Right-clicking any alert opens up a "visitor rule" that can be greatly customized. Both HoneyPoint and Honeyd also had filtering features, but they were not as flexible or easy to implement.
Reporting. Management likes to see reports and pretty pictures, and everyone likes to see favorable trends over time. Unfortunately, I have yet to see a honeypot program with decent built-in reporting or anything near what we've come to expect in most computer security defense programs. HoneyPoint's 10 simple reports are easily enough to win the reporting category in this competition. I would like to see honeypot reporting mature to meet today's expectations.