One of my previous articles,“Enhance intrusion detection with a honeypot,” introduced you to using honeypots to enhance network security. Once you know what a honeypot can do and the value it can provide, it’s just a matter of selecting one that fits your topology and budget. Let’s take a closer look at two commercial honeypot products, as well as two free honeypots.
Commercial honeypot products
Several commercial vendors offer honeypot packages, which simulate entire networks on a single machine. We are going to take a look at Recourse Technologies’ ManTrap and Network Security’s Specter. Both provide an elaborate environment to keep intruders busy.
Recourse Technologies’ ManTrap can create “software cages” and simulate a virtual network on one machine. It does this by emulating a variety of different hosts (FTP, HTTP, SMTP, and ODBC to name a few) on a single ManTrap host. This honeypot is configurable to alert to a variety of different events and can send mail to any e-mail-capable device or SNMP traps to alert system administrators that someone has entered the “cage.”
ManTrap collects evidence necessary for prosecution and makes hackers believe they are attacking vital systems. This maintains network performance by protecting your network and collecting logs without hindering legitimate traffic. ManTrap will log all keystrokes, processes, and files accessed during each attack. The ManTrap host also uses a hardware token to digitally sign and time stamp log files to guarantee nonrepudiation in the event they are needed for prosecution.
One of the most alluring capabilities of the ManTrap software is its administrative interface. ManTrap uses a unique graphical event analysis tool that presents a prioritized view of events. This allows you to quickly drill down to priority events without struggling through a mountain of log files.
Network Security’s Specter 5.01 performs real-time counterintelligence against hackers, capturing details about the source of the attack. Specter is easy to configure. With the Specter Engine running in the background, the GUI-based Specter Control utility will let you get a decoy server running in no time.
The software enables you to emulate one of 11 common operating systems, from Windows 98/NT/2000 to Mac OS. You can tune the type of the server and the complexity of its passwords, simulating anything from a hardened enterprise server to a lame system with simple passwords.
You determine which protocol traps are active (Telnet, DNS, HTTP, etc.) and what happens when a trap is triggered. Although hackers can connect and appear to change directories, they can’t plant Trojans, overflow buffers, or abuse protocols on the Specter box (it doesn’t run any real services). Specter detects DoS attacks and stops accepting connections to avoid resource starvation. It logs each trap and can also send immediate e-mail notifications. Specter will not automatically disable services or close ports. But the Specter Remote utility lets you monitor and reconfigure from a remote PC.
Specter logs all attempted access, including intruders’ IP addresses, a traceroute to their connections, and various protocol banners identifying the OS and versions of the services from which the attack came. The Log Analyzer lets you filter by the type of service or trap, making it easy to drill down to the details of each access attempt and even see the passwords and directories accessed during sessions. Specter is very efficient in directing attacks away from your production servers.
Fred Cohen’s Deception Toolkit is probably the best-known free honeypot. This is really a suite of applications that listens for inbound traffic used by common servers (FTP, Telnet, HTTP, Back Orifice, etc.) and uses scripted responses mimicking services expected from a standard server. This is not a very complex system, and experienced hackers will soon realize that they’re on a honeypot. However, the Deception Toolkit is free and can provide for some protection and data collection.
Another free honeypot is called a “packet box.” This is a fully functional computer running your flavor of server OS. Most of the time, you can take an old machine and put a copy of Linux or Windows NT 4.0 on it. This machine is intentionally left vulnerable so that attackers can gain full administrative access. You simply put a good log tracking program on the machine so you can go back and see what kind of attacks hackers are using and try to fingerprint them. This approach is risky, but a packet box has advantages over simulations.
Unlike commercial honeypots, packet boxes have token hardware requirements and can be implemented very cheaply. Also, because they use standard operating systems and software, they can be exceedingly difficult to distinguish from normal, nonhoneypot machines. Intruders may spend days or even weeks inside without ever realizing they’ve been caught. Since the packet box isn’t limited to predetermined responses, the data collected can be used to examine new or unknown types of attacks on a model of your production system.
You have to remember that you are truly playing with dynamite when you deploy a honeypot. There is always somebody smarter than you on the outside of your network. (I hate to admit that one myself.) Essentially, you’re daring them (once they learn they’re on a honeypot) to compromise your network. Hackers are constantly inventing new ways to spoof and hide themselves among legitimate network traffic, and if an expert targets your network, you could be in for a lot of trouble.
Despite that disclaimer, I still advocate the use of honeypots. I consider them a necessary part of any network. Most network security is defensive in nature, but honeypots can be a silent offensive weapon. They are an extremely powerful tool and when properly implemented, they become an offensive weapon that allows you to learn valuable information about hackers. They can even help you identify and prosecute the most malicious attackers.
Does your network security include a honeypot?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.