Intrusion detection honeypots simplify network security

Low-interaction honeypots are the simplest of all. Honeypots that serve as early-warning systems are usually low interaction, meaning that they monitor one or more network ports and alert when something has tried to connect to a particular port. Low-interaction honeypots don't attempt to look like fully formed, legitimate services. Attackers rarely understand why the remote port isn't responding correctly, and they move on after a few attempts. That's OK, because you've hopefully logged the origination point of the probes and are now exploring it yourself.

While low-interaction honeypots don't do a whole lot to convince an intruder that they're the real thing, they don't have to. Their only job is to alert the computer security or incident response team when something touches them.

Honeypot software features
All honeypots have a few core functions in common. First, they must publish one or more ports and services that will attract intruders. Next, they must capture at least the intruder's origination address (usually IP address), date, time, and data sent in the connection attempt. All connection attempts should be logged (unless instructed to be ignored) and generate alerts so that an incident response team can get involved. Lastly, a great honeypot helps in data analysis, whether it's through detailed packet analysis, password attempt analysis, or aggregating related probes into a single incident. How well each honeypot does this and with what finesse is where the evaluation takes place.

Platforms and installation. Honeypot software should be easy to install and configure. KFSensor leads the pack in this regard with the best GUIs across the board, although it runs only on Windows (XP and later). HoneyPoint and Honeyd run on Windows, Linux, and Mac OS X, and Honeyd supports BSD and Solaris as well. HoneyPoint is fairly simple to install, but requires minor text file manipulation for licensing. Honeyd is the most versatile honeypot of the three; unfortunately, it's also the most difficult to install and configure. Longtime Linux command-line users will find familiarity, but Windows users will usually be daunted by the downloading, compiling, and configuration work, all at the command line. All three honeypots could run as a user-mode program or as a system service or daemon. Running as a system service makes it easier for them to resume operations after a reboot.

Emulation levels and services. Most honeypot programs are low interaction to medium interaction -- or it's more accurate to say that some services are emulated at a low level and others at medium. All three honeypots reviewed fall into the low to medium range of emulation. KFSensor and Honeyd allow routing of probes to external real systems if high interaction is desired for particular services. The forwarded attacker still thinks he is connected to the same target system and IP address, and the honeypot continues to capture data so that the administrator can get a complete picture of what the attacker is doing.

All honeypots must emulate one or more services, and to do so, they must listen on the TCP or UDP (or ICMP) ports for those services. Many honeypots emulate only a limited set of ports. KFSensor, Honeyd, and HoneyPoint all claim to emulate the entire range of TCP and UDP ports (0 through 65,535). I didn't test these claims in this review, but I have verified this on KFSensor and Honeyd in the past. Honeyd did all ports easily with the best performance. Although early versions of KFSensor could not do all ports, the latest enterprise versions can. Again, I have not tested HoneyPoint's claim.