can add much value to your enterprise security architecture
by detecting attacks and taking counter-action quickly.
However, there are many misconceptions stunting the
technology's adoption. Lance Spitzner, Senior Security
Architect, Sun Microsystems helps us understand this
technology. by Anil Patrick R
What are Honeypots?
Generally speaking, honeypots are computers designed
to be probed, attacked or compromised. These are computers
meant to get hacked by malicious elements. Basically,
honeypots can be used for research purposes (to learn
about the bad guys), or to protect your network.
There are two types of honeypots.
Research honeypots are usually used to do research about
the kind of attacks that usually occur. More often,
these honeypots are restricted to security researchers
in research organizations and universities.
Production honeypots are used to
protect networks in the enterprise environment.
How can honeypots improve an enterprise's
Honeypots can be used to prevent attacks, detect attacks
or help respond to attacks. In general they can help
protect enterprise environments by using a concept known
as 'Sticky Honeypots.' For example, let's say there's
a worm in the organization's network, or if somebody's
scanning the internal network and (unknowingly) hits
the honeypot. The honeypot communicates to the worm/intruder
scanning the network and slows down the scanning action.
A variety of TCP methods are used for this so that the
scanning is reduced or stopped.
The biggest highlight for honeypots
is on the detection side. When people invest in intrusion
detection technology, they end up spending a lot of
money thinking it would be easy to detect attacks. The
problem with detecting attacks is that the security
team tends to get overwhelmed with information from
various sources like IDSs, firewalls, etc. With so much
information it is very hard to figure out which one
to prioritize on. In reality, the scenario becomes much
more complex because of false alerts. A large percentage
of the generated alerts are 'false positives' which
are basically false alerts. These alerts say something
bad is happening when there are actually no problems.
With honeypots, there are very few
false alerts. For example, if an IDS gives 100,000 alerts
daily, honeypots will give maybe fifty alerts. There
is an absolute guarantee that these are the important
alerts. The best part of a honeypot is that it is designed
in such a way that no one should be communicating with
it. So if someone is communicating with it, security
personnel can quickly identify that something wrong
is going on.
Honeypots can also help provide fast
response to alerts. In many cases, it is not possible
to analyze how an attacker got in. This is due to the
fact that many a time, computers running critical services
might have to be taken offline, which is not possible.
With honeypots deployed in the network, if several computers
along with the honeypot have been attacked, analysis
of the honeypot helps track the attack methods that
will help apply protection for the future.
How do honeypots add value to
an enterprise's security infrastructure?
For the enterprise, honeypots are very cost-effective
for detection. There are several reasons for this. The
first reason is that honeypots require fewer resources.
When we say resources, we are referring to resources
such as hardware, trained personnel for managing it,
The second advantage is the low volumes
of data generated. Honeypots do not overwhelm the security
administrator with information. Instead, it provides
small sets of information which can be easily understood
and acted upon.
How easy or how difficult is it
for an organization to build and manage a honeypot?
It depends on the type of honeypot that the organization
is deploying. Small and simple honeypots, which emulate
just a couple of services, can be easily deployed for
detection. A good example of this would be the open
source one called 'Honeyd' that runs on Unix. Advanced
honeypots will be those like Symantec's ManTrap, which
create virtual operating systems for the bad guys to
Since a honeypot should have no one
talking to it, it doesn't need a lot of resources. The
only communication happening to and from it would be
the unauthorized kind. A honeypot can be a simple Pentium
computer with 64 MB RAM or it can be an (Sun) Ultra
5 workstation with 128 MB RAM since it has to deal only
with malicious elements. Bandwidth resources are not
a problem. Even if you put it on a Gigabit network,
you need to put in only a 10/100 Mbps NIC card since
the traffic to it will be very limited.
Another advantage is that you need
only one or two people to maintain/ administer the honeypot.
Unlike an IDS system or firewall, where your log files
go to 100s of megabytes a day, a honeypot should generate
only 1 - 2 MB of data a day. Once again, it's more cost
effective because of lesser number of people, especially
for the simpler honeypots.
In fact, there is a free honeypot
for Windows called BOF (Back Officer Friendly) which
can be downloaded from www.nfr.com/products/bof/overview.shtml
Are honeypots meant to be replacements
Honeypots don't replace IDS. They complement each other.
An IDS has its own pros and cons. A problem with IDSs
is that they notify thousands of alerts but they cannot
tell you where exactly to focus on in the huge amounts
of data generated. This information can be correlated
to that in the honeypot to get a better 'view.'
Honeypots tell you where to focus
on. You need to have your IDSs and honeypots talk to
each other and share information. For example, Symantec's
Mantrap and their IDS talk to each other.
Honeypots are put on the internal
network. It is not a complete security solution. They
have to be used with other solutions mainly for detection.
What are the common misconceptions
The first misconception is that honeypots are just deception
devices. i.e., they are used to deceive intruders. Honeypots
can do that, but they can do much more than this. The
second misconception is that you need to lure the bad
guys into your honeypot. The truth is that they don't
have to be. Crackers are very aggressive at probing
every IP address in your environment. All you need to
do is put the honeypot there and the bad guys will come
on their own.
Another misconception is that honeypots
are 'entrapment' tools. This causes the doubt that there
are legal issues associated with them, at least in the
US. The truth is that the bad guys don't get entrapped.
They initiate, find, and break into these honeypots
on their own initiative.
Is it just lack of awareness which
prevents people from using honeypots?
There are two things regarding this aspect. One is that
honeypots are very new. Second is that as a technology,
there are several elements that should take priority
over a honeypot. Honeypots should not be the first thing
on your network on the security side. You should have
your firewalls, IDS, antivirus, patches, etc on the
network before the honeypot comes in.
The main reason it has generated
a lot of interest recently is that it has unique advantages
that solve a lot of detection problems. Another is that
there is a lot of interest in the research aspect of
honeypots where there is a lot of government and military
interest due to reasons like cyber warfare defense.
What is a honeynet?
A Honeynet is a research honeypot, where entire networks
are built with the intention that they are hacked into.
At least two or three dedicated people are needed to
manage a Honeynet. It's not a solution for enterprises
who don't want to spend too much of resources. Honeynets
are purely research oriented and are intended for universities,
military, government and security research organizations.
Lance Spitzner is an acknowledged
authority in security and honeypot research. More details
about honeypots can be got from www.tracking-hackers.com
Anil Patrick can be reached at firstname.lastname@example.org