Intrusion detection and prevention are important goals of
your IT security plan, and the best intrusion/detection strategies employ
multiple elements. In previous columns, I’ve talked about how to choose an
IDS/IPS appliance or software product that can grow with your business. These are
reactive methods of protecting against intruders who find and attempt to breach
your network’s security. Some organizations are taking a more proactive approach
by setting up “honeypots”–a server designed to look
like a real production machine that’s really there just to attract the
hackers–and even entire networks of such machines (often running as virtual
machines on a single physical box). Let’s look at how you can make a honeypot or honeynet part of your
intrusion detection and prevention strategy and how it can grow as your “real”
network does.

How the honey attracts the flies

A honeypot or honeynet
acts as the foundation of an online “sting” operation: it lures the bad guys
in, where you can track their activities without exposing your production
network to risk. This practice has become so popular that it even has its own
blog site: the honeyblog.

While the honeypot computer
appears to be part of your network, it’s in fact isolated and protected so that
intruders who hack into it can’t reach the rest of the network. A key
attraction of the honeypot is the resources stored on
it, which are designed to look like sensitive or confidential files that
hackers would find of interest. The honeypot is
closely monitored so that intrusions can be detected early and tracked back to
their source.

Honeypots can serve a secondary
purpose of diverting attention from your production network so that the
attackers leave it alone.

Deploying a honeypot or honeynet

Once you’ve decided to add a little “honey” to your
intrusion detection/prevention strategy, you need to make several decisions,
including:

  • Where
    on the network to place the honeypot/honeynet
  • Whether
    to deploy a single honeypot or a multi-computer honeynet
  • Whether
    to use actual physical machines, virtualization software or honeypot software designed specifically to emulate
    multiple machines for honeypot purposes

Honeypot placement

You can place a honeypot on your
internal network, but your normal network defenses would then protect it from
being attacked from the Internet. An internal honeypot,
however, might be useful for detecting attacks that originate inside the LAN.
If the internal honeypot is attacked from the
Internet, this would indicate deficiencies in your perimeter security, and if
the honeypot is made attractive enough, might prevent
your mission critical internal servers from being attacked first if such
deficiencies do exist.

Many organizations connect the honeypot
directly to the Internet. This makes it easily attacked and will usually result
in a huge number of intrusions. However, a honeypot
that’s this inviting may seem a little suspicious to a savvy hacker.

The most common practice is to place the honeypot
on a DMZ or perimeter network, a subnet that sits between the Internet and your
internal LAN and is protected by a firewall.

The honeypot or virtual honeynet machine should be a dedicated system that’s not
used for anything else.

Growing the honeynet

For a small company, a single honeypot
server may suffice. As your company grows larger and/or you become more adept
in the uses of the honeypot to trap intruders, you
can create a network of honeypots, or honeynet. Buying many physical machines for this purpose
can get costly, but instead you can use virtualization software such as VMWare or Microsoft’s Virtual PC/Virtual Server to make it
appear that you have dozens of vulnerable servers just waiting to be attacked.
Each virtual machine has its own IP address and you can run different operating
systems on different VMs. You can create virtual
email servers to lure spammers, and so forth (do note that depending on the
operating system, you may still need to pay for licenses for each virtual
server).

You can even add fake 802.11 wireless access points to your honeynet. Since wireless networks are a favorite target of
“war driving” intruders, a “honeyWAP” can attract and
confuse those looking for open wireless networks. FakeAP
by Black Alchemy Enterprises is an open source program that runs on Linux and
lets you create 53,000 counterfeit access points. You can download it at http://www.blackalchemy.to/project/fakeap/.

Honeypot software

Other honeypot/honeynet software
that you can use to set your trap includes:

  • Honeyd is a daemon that runs on Linux and creates
    virtual hosts that can be configured so they appear to be running
    different operating systems and services. A single machine can emulate
    over 65,000 networked machines, and you can ping and traceroute
    the virtual machines. You can find out more and download it here: There
    is also a version of Honeyd for
    Windows    .
  • HoneyBOT is a Windows honeypot
    program that can mimic over 1000 vulnerable services on the network and
    captures and logs information about attempted attacks and intrusions. It
    runs on Windows 2000 or above and is offered by AtomicSfotwareSolutions
    as a free download at http://www.atomicsoftwaresolutions.com/honeybot.php
  • NetBait creates pseudo-networks and diverts intrusion
    attempts from your real network to the fake ones. It is especially
    scalable as it comes in a version for small to medium sized organizations
    as well as an enterprise version. The former is a web-based off site
    service and the latter works as an in-house solution. You can read more at
    http://www2.netbaitinc.com:5080/products/
  • Honeywall is a CD-ROM that can be used to deploy honeynets and is available from the Honeynet Project at http://www.honeynet.org/tools/cdrom/

As you get more involved in your honeynet
project, you can use specialized software products that emulate particular
types of servers or services. For example:

  • Spampot is a fake SMTP server that emulates an open
    relay. You can download it from http://woozle.org/~neale/src/python/spampot.py
  • ProxyPot emulates an open proxy, also
    designed to intercept spammers.
  • Sandtrap is a wardialer detector that emulates an open modem and
    then logs caller ID and login attempt information.