Intrusion detection honeypots simplify network security
Low-cost, low-fuss honeypots are highly effective early-warning systems against external attacks and insider threats; KFSensor, HoneyPoint, and Honeyd offer safety, ease, and flexibilityFollow @rogeragrimes
Strange features. Honeypots can have some strange features, which are generally intended to capture more information about possible attackers. KFSensor has the most features of any honeypot in this review, but HoneyPoint wins the award for the strangest. HoneyPoint Trojans and HoneyBees (see the accompanying review) are awkward attempts to offer false lures -- namely, fake binary programs and fake Web and email traffic -- that MicroSolved hopes will lead to more specific information in tracking hackers. I'm doubtful of their overall usefulness, but at least MicroSolved is not providing tools to break into the remote hacker's computers as some past honeypot manufacturers have. Attacking an attacker is not only unethical, but illegal in most countries. HoneyPoint Trojans and HoneyBees do not cross that line.
The sweetest honeypot
KFSensor has long been the established leader in the honeypot world, and this hasn't changed. KFSensor is still the easiest and most feature-rich honeypot among the competition. Its single glaring weakness is the lack of built-in reports. Many honeypots, especially ones with distributed sensors and enterprise features, expect companies to have their own reporting tools and information needs. Still, a few basic reports would go a long way. HoneyPoint offers 10 basic reports, and Honeyd's open source community has offered simple add-ons to get the essential reporting functionality for some time.
HoneyPoint combines multi-platform support, built-in reports, alert tracking, and some unique features designed to trip up attackers, but it falls short of KFSensor in both functionality and ease. Honeyd is the most flexible and efficient honeypot you'll find, but also the most difficult to install and configure. Linux/Unix shops may be undaunted by the challenging setup, and attracted by the free price tag, but they too will likely be better served by KFSensor. Although KFSensor installs only on Windows, it can emulate the ports and services in a Linux/Unix environment (though not at the network stack level like Honeyd).
You can read the individual, more detailed reviews at the links below. No matter which honeypot product you choose to run, or even if you simply turn an old computer into an early-warning system, your modest investment in time or money will pay off in more reliable security and greater peace of mind. Because when your firewall, IDS, antivirus software, and other security defenses fail -- and they all fail every now and then -- your honeypot will alert you to the problem. Setting up a simple honeypot is a small price to pay for a second line of defense.
Read the honeypot reviews:
- KFSensor: Sweet Windows honeypot
- HoneyPoint: A honeypot for Windows, Linux, or Mac OS X
- Honeyd: The open source honeypot
- Honeypots by the features: KFSensor, HoneyPoint, and Honeyd
Read the sidebar:
This story, "Intrusion detection honeypots simplify network security," was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.