Sniffing for intruders

Honeypots are quickly gaining acceptance in corporate environments as highly accurate early warning systems. Because they aren’t production assets, any activity on a honeypot can immediately be considered suspicious and the appropriate defensive response can be initiated. There are about a dozen serious vendors in the honeypot field, including KeyFocus’ KFSensor, Network Security Software’s Spector 7.0, and the open source favorite Honeyd, but Palisade Systems’ SmokeDetector is the only hardware offering. 

Low-interaction honeypots offer up one or more IP ports with weak emulation of operating systems and services. The emulation can be as basic as a listening port or some banner text and a fake log-in screen. Because the desired benefit is early warning, complete emulation is overkill; plus, the absence of a real operating system limits the potential for damage by the intruder.

Packaged in a 1U unit (Intel Celeron 1.7GHz, 256MB of RAM, an 80GB hard drive) and running FreeBSD 4.6, the SmokeDetector is a stand-alone component of Palisade’s Security Suite offering. To test the unit, I configured four operating system emulations, including Windows 2000, Windows NT, Cisco IOS, and AS/400, and subjected the product to hundreds of daily probes, scans, and attempted exploits. Most of my exploit attempts were automated attacks and probe scans. In addition to connecting to all of the ports I had configured, I connected to a few ports that remained in their out-of-the-box configurations.

Setting the Trap

A total of 19 different operating systems can be emulated if you buy the complete SmokeDetector package, though none of Microsoft’s latest operating systems are offered. Emulated services include Auth, Finger, FTP, HTTP, IMAP, POP, SMTP, SSH (Secure Shell), Telnet, SMB (Server Message Block), and a handful of other UDP (User Datagram Protocol) and RPC services. As with most low-interaction honeypots, none of the emulations offer anything beyond allowing the intruder to connect to the port or to try to log in (which is never successful).

I scored the SmokeDetector’s accuracy by noting how realistic the emulations seemed to the intruder and noting the accuracy of its logging. Connections to most services, like those to FTP, Telnet, and SMTP ports, resulted in fairly accurate banner text and a limited, but mostly correct, set of error messages. Palisade Systems did its homework. 

Strangely, connection attempts to the HTTP ports never resulted in any HTML pages being returned, which might leave an intruder wondering why port 80 is enabled without content. Palisade says HTTP response capability will be available in a forthcoming version. The promised Windows SMB service emulation was mixed, as I could not get the SmokeDetector to show me the virtual files and folders as expected. On all services, each connection attempt was captured and logged in moderate detail. Any attempted log-on names and passwords used by intruders were displayed and logged, along with any commands and connection attempts sent to the ports.

Unfortunately, SmokeDetector’s banner text, log-on screens, and emulated services cannot be changed beyond what is offered. Additional ports cannot be configured in the management GUI, but simple listening ports can be added using FreeBSD’s TCP Wrappers. 

Of course, the whole point to using a honeypot as an early warning system is to be alerted of intrusions right away. The SmokeDetector is relatively competitive in this area, offering several levels of alerts. It also offers some of the best standard reports in the honeypot world, including summary reports sorted by intruder origin and event alert level.

The SmokeDetector works as advertised, but it’s inflexible and pricey. That makes it hard to recommend over more customizable, less expensive offerings.