All About Honeypots and Honeynets

Honeypots and honeynets can take the sting out of hacker attacks

Honeypots are primarily a research tool, but they have genuine business applications as well. Put a honeypot on an IP address adjacent to your company's Web or mail server, and you'll get an idea of the attacks to which it is subject. But don't give the adjacent machine a name with your domain name serverafter all, most attacks are done by IP address. You'll get even better intelligence if the honeypot uses the same operating system, patch level and application suite as the machine you're trying to protect. In fact, make it an exact copy and then monitor all the traffic in and out of this honeypot machine. If it gets compromised, you'll know what to look for on your production machine.

To be sure, honeypots and honeynets are not "fire and forget" security appliances, a point that Spitzer repeatedly stresses. According to the Honeynet Project, it typically takes between 30 hours and 40 hours of analysis to really understand the damage that an attacker can do in just 30 minutes. The systems also require diligent maintenance and testing. With a honeypot, you constantly match your wits against the bad guys'. You get to choose the battlefield, but your opponent gets to choose the time of the battle. As a result, you must stay alert.

One of the most exciting things happening in the world of honeypots is the development of virtual honeynetswhole networks of virtual computers running on a single machine using a "virtualized computer" system like VMware or User-Mode Linux. A virtualized system lets you run a few (typically four to 10) virtual computers on a single host system. Virtual honeynets dramatically cut costs, machine room space and honeypot management complexities. And since the virtual computer's "disks" are actually files on the host system, it's easy to detect any changes the attacker may have performed and, when necessary, wipe them out. What's more, virtual systems typically support "suspend" and "resume" functionalities, allowing you to freeze a compromised computer, examine the attacker's processes, and open TCP/IP connections and anything else that's on the system.

For the CSO of a large organization, one of the best reasons to run a honeynet is to detect hostile insiders. Any company with more than a few hundred employees is bound to have one or two bad apples behind your firewall and probing for internal weaknesses. What better way to find them than with inside honeynets? Cut off from the outside world and set next to systems used by accounting and payroll, they'll tell you if someone is exploring where he shouldn't. A well-monitored system might even point you back to the perpetrator.