Honeypots as an early warning system

Free Newsletters

Log-in | Register

SECURITY ADVISER

Honeypots as an early warning system These sticky traps make a good backup plan for malware detection -- and every enterprise should have at least one
By Roger A. Grimes December 16, 2005			E-mail Printer Friendly Reprints Slashdot It!

I often recommend that my clients set up and use a honeypot, and not just because my last book was entitled Honeypots for Windows. Honeypots are any non-production computer asset set up only as a target for hackers and malware. A honeypot is usually a PC, but it could be a Cisco router, Ethernet switch, or HP JetDirect card.

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Microsoft

Many people think honeypots are non-necessary devices used by security administrators to track uberhackers. And while that’s partially true, today I recommend that every company use one or more honeypots.

Why, you ask? Because all computer security defenses will fail. Your firewall will fail. Your anti-virus software will fail. Your IDS and all of your employee education will fail, if not once a year, then several times. That being the case, step two is to get the fast notification that your defenses have failed.

That’s where a honeypot comes in: One or more of these should be your EWS (early warning system). Forget about giving the hacker (or malware) a realistically fake environment to hack around in (called "high-interaction" in honeypot parlance). As a non-production asset, nothing should ever touch the honeypot -- that way, if something touches it, probes it, port scans, or tries to log on to it, you'll know it's malicious, and you can capture as much information as possible from the initial contact. When something connects, the honeypot should immediately alert the security first responder, preferably by sending out a page or SMS alert, or by automatically creating a help desk ticket.

An EWS honeypot should detect and alert, and alternately log and report. In order to detect, the honeypot needs to initialize a listening service on the ports that a hacker or malware program will be likely to visit. For a Windows honeypot, that would include TCP ports 135, 137-139, and 445. A Unix/Linux host might want to have ports 22, 111, and RPC ports to mimic services running in the host environment.

You’ll often hear people say that honeypots never have false positives. This is patently untrue, especially inside the network. Usually, I have to fine-tune the honeypot not to alert on normal broadcast traffic and tell my network management software to skip the honeypot. (Otherwise, my honeypot might alert when the patch management software tries to push out a new software update or when the anti-virus gateway server tries to deliver an updated signature.)

There are many ways to set up a honeypot. You can take an old machine and install a copy of your default OS on it. Because the system is a real OS, most hackers won’t be able to tell that it is a honeypot, even if you do nothing special to it other than install detecting and alerting mechanisms.

Some people use virtual machine software (such as VMware or Virtual PC) to create honeypots. The benefit here is quick resets and clean-up, but VM honeypots are subject to being detected as VM, and hence identified by a hacker as a possible honeypot.

Luckily, this worry is lessening as more shops virtualize their production machines. But a bigger threat is the fact that any real OS gives the hacker a real target to exploit and could lead to unintended consequences, so more and more administrators are turning to specialized honeypot software.

Hands down the best honeypot product, especially for the Windows crowd, is KeyFocus’ KFSensor. KFSensor is feature-rich and frequently updated. The fully featured version is $990, but a new standard version will sell for much less. I don’t have enough space here to elaborate on KFSensor, but if you want the best, spend the money. The only two detractions are that it doesn’t emulate the TCP/IP stack at the lowest levels (a fact that doesn’t really matter for an EWS honeypot) and that only a finite number of listening ports can be active at any one time.

Open source Honeyd is the most versatile honeypot software. Like many open source products, it is mostly command line-based, takes lots of reading to understand, and takes even more trial and error to get it right.

Developed for the Unix/Linux crowd, it comes in a Windows flavor, but the Windows version is old and buggy -- you’re better off learning Linux from scratch than using the Windows version. Honeyd is a very flexible honeypot, but it must be cobbled together from scratch, and more sophisticated emulations, such as NetBIOS, aren’t easy at all.

Other honeypots to consider are Alkasis' PatriotBox (Windows-based, GUI, $40, not nearly as feature-rich as KFSensor, but a good value), and Specter (Windows-based, GUI, $899, contains many unique features not seen elsewhere).

For more information and details on honeypots, visit http://www.honeynet.org and http://www.honeypots.com.

E-mail

Printer Friendly

Reprints

Slashdot It!


	InfoWorld Test Center Contributing Editor Roger A. Grimes is a Foundstone Ultimate Hacking instructor/consultant teaching Windows, Linux, Unix, and Solaris security. • More of Roger A. Grimes' column Newsletter Check out all of our free newsletters! Enter e-mail address:

TOP NEWS:

» Four quick tips for choosing an IM security product
71 percent of businesses will invest in real-time messaging this year. If you're one of them, be sure to protect your enterprise

» Forrester analysts ID hot IT jobs
Research group finds 16 IT roles with a promising future

» Nvidia claims 10 hours of HD video on Tegra chip
The Tegra 600 and 650 can be used with hard disk drives and are designed partly for mobile Internet devices

» Database vendors add Google's MapReduce
Greenplum and Aster Data Systems will support Google's programming technique, developed for parallel processing of large data sets across commodity hardware

» Network management: Tips for managing costs
New technologies, changing requirements, and ongoing equipment maintenance and upgrades cost money, but there are ways to manage expenses

» EMC targets SMBs, branch offices with new low-end storage
Celerra NX4 highlights include thin provisioning, snapshot technology for data recovery and backups, and Web-based console for management of storage volumes

REMOTE ACCESS: MAINTAIN SECURITY AND DECREASE THE BURDEN ON IT
Join this interactive webcast to discover how IT Managers can control access rights, end-user security settings and end-point authorization. Sponsor: Citrix(R) GoToMyPC(R) Corporate

» Click here to view this Webcast

Planning For A Disaster
This new, comprehensive Solutions Guide is your one stop source for Disaster Recovery. In it you'll learn how to reduce the likelihood of a disaster and to create a rock solid business continuity plan should you face a disaster situation. Sponsored by Equallogic

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Success Factors for Highly Effective Inside Sales Teams - This complimentary Whitepaper reveals that many inside salespeople have less than 2 years of experience. Be sure to back...
New from AT&T: Fixed-Mobile Convergence for High Performance - The newest fixed-mobile convergence (FMC) strategies could enable enterprises to increase the productivity and effectiveness...
Maximizing Mobility in Communications - Learn how recent advances in wireless technology, particularly faster links and more powerful receiving devices, have greatly...
Moving to Windows Vista: The Promise, The Reality - IDG survey say...that while migration to Windows Vista looms inevitable, the road is fraught with challenges from application...
Securing the Converged Enterprise I - Balancing the many benefits of convergence with the associated security risks can be tricky. While convergence eases communications...
An AT&T White Paper: Enterprise IPTV Solution - Discover two components of a solution that allows you to produce and broadcast video to internal and external audiences:...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
Fluke - Your Guide to Troubleshooting Application Problems Nortel - Nortel data networks can save you up to 40% on energy costs. Microsoft - Learn about the software-based VoIP solution from Microsoft. Xerox - Print for pennies per page with Xerox color! Click to learn more. AT&T - Machines That Speak: The Machine-to-Machine Wireless Network AT&T - AT&T Article: Reinventing the Telephone with VoIP AT&T - New from AT&T: Discover Fixed-Mobile Convergence Now AT&T - AT&T Business Continuity Survey on Risk Management AT&T - The Top 10 Best Practices for Server Virtualization Planning AT&T - Securing the Converged Enterprise I AT&T - Securing the Converged Enterprise II AT&T - An AT&T White Paper: Enterprise IPTV Solution AT&T - An AT&T Article: When Content is King Villanova University - Prepare for CISSP(R) or CompTIA(R) Certification - 100% Online! AT&T - Maximizing Mobility in Communications AT&T - The Spirit of Innovation: 100 IT Leaders Speak Out CA - Manage your IT more effectively. InterSystems - Use Ensemble - quickly create composite applications. Intel - Processor-enabled Virtualization. That's IT as it should be. CA - Plan IT better, Manage IT better. Rackspace - Rackspace: The True Value of a Hosting Provider AMD - The Future is Fusion. Only from AMD. Learn more. Symantec - Symantec(TM) Network Access Control: Comprehensive Network Access Control Oracle - Nucleus Report: Who's ready for SMB? Symantec - Enterprise-class Disaster Recovery for Virtual Server Environments		Adobe - Delivering On The Promise Of eLearning Active Endpoints - Get ActiveVOS. Design, develop, deploy, manage services-based apps. Eaton - Distributing Power to Blade Servers Radware - Business-Smart Automation for Optimizing Your Virtualized Data Center HP - Secure your network with HP's thin client computers. AppAssure - 3 Best Practices for Reducing Exchange Downtime Electric Cloud - Agile Development: 5 Steps to Continuous Integration Oracle - Best Practices for Successful SOA Governance MKS - Get Power and Simplicity of UNIX while working in Windows HP - HP Color LaserJet CP4005n printer. Now $899. SHOP NOW Dell - Dell Latitude: Battery life up to 19 hours. Learn more. Equallogic - Flexible, Scalable, Enterprise Storage for Virtual Infrastructures Equallogic - Four Steps to Disaster Recovery and Business Continuity Using iSCSI HP - Get Extreme Storage for Extreme Business with HP. Dell/Equallogic - PS Series Best Practices Deploying Microsoft(R) Exchange Server 2007 in an iSCSI SAN Dell - Windows Vista: A Cyber Security Shield HP - HP LaserJet P4014n printer Starting at $699 after $100 IS. SHOP NOW HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - HP StorageWorks products-control, consolidation and confidence. Platespin - Consolidated Disaster Recovery Using Virtualization Platespin - 8 Phases of a Successful Consolidation Initiative AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time.

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist