Intrusion detection honeypots simplify network security
Low-cost, low-fuss honeypots are highly effective early-warning systems against external attacks and insider threats; KFSensor, HoneyPoint, and Honeyd offer safety, ease, and flexibility
Columnist, InfoWorld |
Why use specialized honeypot software?
You don't need a KFSensor, Honeyd, or HoneyPoint Security Server to set up a honeypot. I often recommend to readers that they take an old computer they're getting ready to throw away and use it as an early-warning honeypot instead. You've already paid for the hardware and software, so why not put it to good use? (See my tips in the sidebar, "Intrusion detection on the cheap: Roll your own honeypot.")
Specialized honeypot software has a number of advantages over that old PC. For one, honeypot software usually does the hard work for you. They set up the services, provide a range of fake functionality, and simplify logging and alerting. Most honeypot software programs come with low- and medium-interaction services and allow easy customization.
Secondly, honeypot software usually excels at data capture, sometimes offering intrusion detection signatures, packet capture and network protocol analysis, and easy filtering and fine-tuning. For example, some GUI-based honeypots allow you to click an event message to create "ignore rules" to filter out legitimate traffic. Compared to configuring an old PC for honeypot duty, a specialized honeypot program squeezes what might be a two-day process into 10 or 15 minutes of actual work.
High-interaction honeypots vs. low-interaction honeypots
When people think of honeypots, they often think of complex, highly realistic "traps" where the hacker encounters a range of fully functional services (a realistic website, an email server with updated emails, and so on) and his every move can be tracked. These types of high-interaction honeypots provide realistic emulation of high-value network assets in return for significant administrator effort. Their sophistication is intended to better determine the hacker's motivations and to better document what the hacker did.
For example, once when I was onsite at a large defense contractor, a newly installed honeypot caught someone probing the SharePoint Web server. We quickly set up three areas of the site designed to help us profile our intruder: a section with computer games, a section hosting "secret" NASA Space Shuttle plans, and a section that purported to have F17 fighter pilot communication codes. The secret Space Shuttle plans were simply page redirects from NASA's public website. The hacker quickly went to the Space Shuttle plans and began using SharePoint's search feature to look for Middle East topics. This was no gamer. The hacker was later found to be a foreign spy working in the company's accounting department as a temp worker.
Because high-interaction honeypots require a lot of work and carry increased risk that an attacker will use the exploited honeypot to do harm (for example, attacking other companies, installing a password sniffer, and more), I encourage most companies to use low- or medium-interaction honeypots. A medium-interaction honeypot fakes common tasks, but doesn't implement a full service. For example, a fake FTP service might allow the prober to attempt to logon, or it might allow them to logon anonymously and offer up fake files to download. A fake email server might even let the attacker read and send emails. KFSensor allows a few emails to be sent on the fake service so that a potential spammer might be tricked into thinking he's found a real email server. The idea is to provide enough functionality to determine whether an intruder poses a threat, but not enough to allow the intruder to take things too far.