Honeypots

Author: Justin Chang
Revised: April 6, 2007

Potential Location of honeypots on a traditional network [2]

A honeypot is a server or system that is intended to be used as a decoy, attracting unauthorized users for the purpose of detecting, preventing and studying their activities [1]. This type of security tool usually takes the form of a work station, file/web server or any other digital entity that may interest a malicious user [3] and appear to be part of some network which may potentially contain valuable data or resources [4]

While this tool is intended to attract dangerous users, it is actually isolated from the real network and systems it is not an actual node accessible or used by any user or other system, nor is it integrated into the functional network of that company or organization. The decoy simply lures malicious users away from the actual systems or resources within a network, thus counteracting the illegitimate attempts to gain access to such systems (while monitoring those activities) [5].

Honeypots depend on hackers or attackers interacting with them since they are never actually meant to be used or accessed otherwise. Any interaction with such a system immediately indicates unauthorized activities [3] which can then be counteracted, monitored or stopped. Thus, honeypots are not an application nor do they provide any sort of service, instead, by being interacted with they protect the actual systems and provide vital information about attacks or activity through their inadvertent use.

Contents


Uses

A honeypot is such a versatile tool since it has many uses in different areas of data, systems and network security. One main benefit is the ability to learn about the actions a malicious user is performing and protect against similar future attacks. Other uses include:

  • Learning about which files or data intruders were attempting to access and improving their security
  • Catching an unauthorized user in the act
  • Learning from the actions of an attacker and how they gained network access, files or user accounts and resolving such vulnerabilities
  • Prevention of real attacks by luring attackers away from actual networks and resources, and catching them before any harm is done
  • Email spam filtering by monitoring messages received by decoy honeypot accounts [4]
  • Prevention or slowing down of viruses (such as a worm virus) by decoy honeypots or honeynet systems [6]
Types

Most honeypots can be broadly categoried two ways: by their level of interaction (high or low) and type of use (production or research):

High-interaction Honeypot Network (honeynet)

A high-interaction honeynet is an actual network of honeypots accessible through a controlled gateway simulating all aspects of a real network [4]. This classification and type of honeypot is usually permitted to be compromised in such a way as to allow attacks from one system in that cluster to other systems in the honeynet [6]. Such actions are possible because the honeynet is not part of the real network, isolated and controlled in some manor.

Low-interaction Honeypot (honeyd)

Unlike a high-interaction honeynet having several honeypots, a low-interaction system pretends to be several hosts potentially providing different services. This single system fakes the different IP addresses of decoy systems instead of actually having them implemented separately like in a honeynet [4].

Production Honeypot

This type of honeypot is used by companies or organizations and can be found within their networks, as they mimic some sort of node (such as a file server or workstation). A production honeypot is generally used to improve the overall security within the company or organization by protecting those resources [4].

Research Honeypot

Unlike a production honeypot, a research honeypot is used by some sort of institution in order to learn more about the users who perform unauthorized activities or attacks [4].  They do not make that organization's network more secure but help other organizations learn about their attackers from the information they have gathered.

Implementation

In order for honeypots to be truly useful they must appear to be legitimate systems or resources on a network. Also, since this tool is so dynamic and versatile the design and implementation can vary drastically for each honeypot. The following section describes some of the points that should be considered during the implementation process:

  • The honeypot should appear to be as generic as possible, such that the attacker would not suspect that it is a decoy [1]. If the system or resource seems like a trap, the user will not interact with it.
  • It must be isolated on the network or have access to it controlled as to not pose any actual risk to other systems on the network or compromise the security of the network itself.
  • The data or system should appear to be legitimate it should seem like that system is actually used, contains recently accessed files and is an active node [1]. If the unauthorized user realizes that it is a dummy system they will avoid it.
  • In order to track or learn about unauthorized access, the activities or information on the honeypot should be logged. It is usually not a good idea for the logging to be performed and stored on the honeypot itself, since if the intruder gains root access to that system they might stop the logging processes, delete the data and leave [6].
Advantages and Disadvantages
Advantages:
  • Any interaction with a honeypot is immediately known to be illegitimate and countermeasures can immediately be deployed
  • Honeypots are highly flexible, dynamic and can be used for many different purposes
  • Implementations of honeypots or networks of honeypots actually require very little resources [3]
  • The data collected by a honeypot is stored in small sets which can be easily organized and interpreted [3]

Disadvantages:

  • Honeypots can only detect and protect against activities or users directly interacting with them
  • Incorrectly implemented honeypots may compromise the actual network and its resources
See Also

References
  1. http://www.sans.org/resources/idfaq/honeypot3.php
  2. http://www.sgnec.net/Articledet-f.asp?number=69
  3. http://www.newsforge.com/article.pl?sid=04/09/24/1734245
  4. http://en.wikipedia.org/wiki/Honeypot_%28computing%29
  5. http://www.webopedia.com/TERM/H/honeypot.html
  6. http://www.honeyd.org/background.php
External Links


McMaster University - Software Engineering 4C03 - Winter 2007