In previous articles, I’ve explained how to protect your network through the use of access control lists on your routers and looked at the need for and the cost of an enterprise firewall. By implementing these software and hardware devices, your network will be able to stand up to most (if not all) attacks from the script kiddie community. But what do you do about the black hats? Your data may be the target of a professional, someone who would sell your corporate secrets to your competitors or blackmail you with their disclosure or simply wreck your network because you’re a highly visible and prized target.
Make no mistake about it. Every network with an Internet connection is vulnerable to intrusion. It’s the price you pay to stay wired to the world. Catching elite intruders and tracking their movements throughout your network is tricky business. You could use any of several commercial Intrusion Detection Systems (IDSs). However, they only tell you where intruders went and how they got there. Besides, these elite intruders can often camouflage themselves among your legitimate traffic and alter your system logs to remove any trace of their penetration.
The best intrusion detection
When that top 1 percent makes it through your outer defensive perimeter, your goal should be twofold:
- Track their every movement in a way that allows you to preserve that data for law enforcement officials.
- Provide a target away from your production servers. You need bait. You need an intelligent mousetrap. You need a “honeypot.”
Honeypots are programs that simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break in to the machine. A honeypot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concentrated attack.
Honeypots are most successful when run on known servers, such as Web, mail, or DNS servers, because these systems advertise their services and are often the first point of attack. You can construct a system that appears vulnerable to attack but actually offers:
- No access to real data.
- No administrative controls to your network.
- No legitimate users.
- No legitimate network traffic.
- No level of control over other intelligent devices attached to your network.
You’re intentionally putting out bait to be attacked. If this is done properly, you will:
- Be alerted to the attack while it is in progress.
- Leave intruders exposed and isolated from your real network.
- Be provided with real-time monitoring of the attack.
- Be given a valuable lesson on how hackers break in to networks.
- Be able to provide a prosecution trail for law enforcement agencies.
Setting up your honeypot
I highly recommend physically isolating the honeypot from your production network. Many firewalls allow you to place a network in the demilitarized zone (DMZ). This is a network added between an internal network and an external network in order to provide an additional layer of security. Sometimes it is also called a perimeter network. The other option is to place it on a separate, dedicated Internet connection. Ideally, all traffic to and from the honeypot should also be routed through its own dedicated firewall.
Any enterprise firewall package will be sufficient. However, when setting up this firewall, you’ll want to reverse your normal rules. The goal is to allow all inbound traffic and restrict outbound traffic to the bare minimum. I would suggest outbound ICMP, DNS, and Telnet/FTP to a noncompromised IP address. If you close all outbound services, intruders will lose interest and attack elsewhere.
Setting up your microscope
The key to an effective honeypot is its ability to monitor intruders. I call it “bait under a microscope.” Skilled intruders will go to extraordinary lengths to cover their tracks. It is imperative that you collect as much data from as many sources as possible. Most of this data will be the same as what you collect from the honeypot itself. When your data starts to diverge, you know your honeypot is compromised. In fact, when your data starts to disagree, you’re looking at the attackers’ modus operandi.
The first place to collect data is the honeypot's firewall. All enterprise firewalls are capable of logging all traffic they examine. If a firewall services only your honeypot, any traffic appearing in the firewall logs is evidence of an attack.
The second data collection tool is the honeypot’s system logs. These logs will be the intruders’ first target and are extremely vulnerable to alteration. It is vital that these logs are automatically duplicated to a remote system.
Intrusion detection systems or packet sniffers can provide a third and final monitoring tool. These applications monitor traffic passively and don’t advertise their presence. They will provide you a key-by-key view of what the attacker does and sees.
Before you let intruders into your honeypot, you need to define its purpose and set it up accordingly. Here are a few possibilities:
- If you’re just doing research on hackers, you may want to collect data for as many sessions as you can. You’ll collect valuable information on methods and targets. You can use this to harden your production network.
- If you’re interested in prosecution, you’ll want to consult with your local authorities to determine the type and amount of data they will need in order to prosecute.
- If your purpose is only to divert traffic from your production network, collect enough data to discover the holes that were used to compromise the system. Then, advertise a normal shutdown due to maintenance and advertise new services on a nonexistent host.
In my next article, I’ll look at which honeypot you should use. I’ll review some of the more popular systems and discuss the strengths and weaknesses of each.
Do you use honeypots in your enterprise?
We look forward to getting your input and hearing your experiences regarding this important security topic. Join the discussion below or send the editor an e-mail.