In Person: Honeypots
Tracking hack attacks

Honeypots can add much value to your enterprise security architecture by detecting attacks and taking counter-action quickly. However, there are many misconceptions stunting the technology's adoption. Lance Spitzner, Senior Security Architect, Sun Microsystems helps us understand this technology. by Anil Patrick R

What are Honeypots?
Generally speaking, honeypots are computers designed to be probed, attacked or compromised. These are computers meant to get hacked by malicious elements. Basically, honeypots can be used for research purposes (to learn about the bad guys), or to protect your network.

There are two types of honeypots. Research honeypots are usually used to do research about the kind of attacks that usually occur. More often, these honeypots are restricted to security researchers in research organizations and universities.

Production honeypots are used to protect networks in the enterprise environment.

How can honeypots improve an enterprise's security infrastructure?
Honeypots can be used to prevent attacks, detect attacks or help respond to attacks. In general they can help protect enterprise environments by using a concept known as 'Sticky Honeypots.' For example, let's say there's a worm in the organization's network, or if somebody's scanning the internal network and (unknowingly) hits the honeypot. The honeypot communicates to the worm/intruder scanning the network and slows down the scanning action. A variety of TCP methods are used for this so that the scanning is reduced or stopped.

The biggest highlight for honeypots is on the detection side. When people invest in intrusion detection technology, they end up spending a lot of money thinking it would be easy to detect attacks. The problem with detecting attacks is that the security team tends to get overwhelmed with information from various sources like IDSs, firewalls, etc. With so much information it is very hard to figure out which one to prioritize on. In reality, the scenario becomes much more complex because of false alerts. A large percentage of the generated alerts are 'false positives' which are basically false alerts. These alerts say something bad is happening when there are actually no problems.

With honeypots, there are very few false alerts. For example, if an IDS gives 100,000 alerts daily, honeypots will give maybe fifty alerts. There is an absolute guarantee that these are the important alerts. The best part of a honeypot is that it is designed in such a way that no one should be communicating with it. So if someone is communicating with it, security personnel can quickly identify that something wrong is going on.

Honeypots can also help provide fast response to alerts. In many cases, it is not possible to analyze how an attacker got in. This is due to the fact that many a time, computers running critical services might have to be taken offline, which is not possible. With honeypots deployed in the network, if several computers along with the honeypot have been attacked, analysis of the honeypot helps track the attack methods that will help apply protection for the future.

How do honeypots add value to an enterprise's security infrastructure?
For the enterprise, honeypots are very cost-effective for detection. There are several reasons for this. The first reason is that honeypots require fewer resources. When we say resources, we are referring to resources such as hardware, trained personnel for managing it, bandwidth, etc.

The second advantage is the low volumes of data generated. Honeypots do not overwhelm the security administrator with information. Instead, it provides small sets of information which can be easily understood and acted upon.

How easy or how difficult is it for an organization to build and manage a honeypot?
It depends on the type of honeypot that the organization is deploying. Small and simple honeypots, which emulate just a couple of services, can be easily deployed for detection. A good example of this would be the open source one called 'Honeyd' that runs on Unix. Advanced honeypots will be those like Symantec's ManTrap, which create virtual operating systems for the bad guys to attack.

Since a honeypot should have no one talking to it, it doesn't need a lot of resources. The only communication happening to and from it would be the unauthorized kind. A honeypot can be a simple Pentium computer with 64 MB RAM or it can be an (Sun) Ultra 5 workstation with 128 MB RAM since it has to deal only with malicious elements. Bandwidth resources are not a problem. Even if you put it on a Gigabit network, you need to put in only a 10/100 Mbps NIC card since the traffic to it will be very limited.

Another advantage is that you need only one or two people to maintain/ administer the honeypot. Unlike an IDS system or firewall, where your log files go to 100s of megabytes a day, a honeypot should generate only 1 - 2 MB of data a day. Once again, it's more cost effective because of lesser number of people, especially for the simpler honeypots.

In fact, there is a free honeypot for Windows called BOF (Back Officer Friendly) which can be downloaded from www.nfr.com/products/bof/overview.shtml

Are honeypots meant to be replacements for IDSs?
Honeypots don't replace IDS. They complement each other. An IDS has its own pros and cons. A problem with IDSs is that they notify thousands of alerts but they cannot tell you where exactly to focus on in the huge amounts of data generated. This information can be correlated to that in the honeypot to get a better 'view.'

Honeypots tell you where to focus on. You need to have your IDSs and honeypots talk to each other and share information. For example, Symantec's Mantrap and their IDS talk to each other.

Honeypots are put on the internal network. It is not a complete security solution. They have to be used with other solutions mainly for detection.

What are the common misconceptions about honeypots?
The first misconception is that honeypots are just deception devices. i.e., they are used to deceive intruders. Honeypots can do that, but they can do much more than this. The second misconception is that you need to lure the bad guys into your honeypot. The truth is that they don't have to be. Crackers are very aggressive at probing every IP address in your environment. All you need to do is put the honeypot there and the bad guys will come on their own.

Another misconception is that honeypots are 'entrapment' tools. This causes the doubt that there are legal issues associated with them, at least in the US. The truth is that the bad guys don't get entrapped. They initiate, find, and break into these honeypots on their own initiative.

Is it just lack of awareness which prevents people from using honeypots?
There are two things regarding this aspect. One is that honeypots are very new. Second is that as a technology, there are several elements that should take priority over a honeypot. Honeypots should not be the first thing on your network on the security side. You should have your firewalls, IDS, antivirus, patches, etc on the network before the honeypot comes in.

The main reason it has generated a lot of interest recently is that it has unique advantages that solve a lot of detection problems. Another is that there is a lot of interest in the research aspect of honeypots where there is a lot of government and military interest due to reasons like cyber warfare defense.

What is a honeynet?
A Honeynet is a research honeypot, where entire networks are built with the intention that they are hacked into. At least two or three dedicated people are needed to manage a Honeynet. It's not a solution for enterprises who don't want to spend too much of resources. Honeynets are purely research oriented and are intended for universities, military, government and security research organizations.

Lance Spitzner is an acknowledged authority in security and honeypot research. More details about honeypots can be got from www.tracking-hackers.com

Anil Patrick can be reached at anilpatrick@networkmagazineindia.com