Virtual honeynet: a scalable element of your intrusion detection/prevention strategy
Takeaway: Ready to go beyond the usual reactive methods of protecting against intruders and take a more proactive role? Instead of waiting for them to come to you, you can lure them in (and in some cases, catch them) by deploying a fake server or entire fake network called a honeypot or honeynet.
Intrusion detection and prevention are important goals of your IT security plan, and the best intrusion/detection strategies employ multiple elements. In previous columns, I've talked about how to choose an IDS/IPS appliance or software product that can grow with your business. These are reactive methods of protecting against intruders who find and attempt to breach your network's security. Some organizations are taking a more proactive approach by setting up "honeypots"--a server designed to look like a real production machine that’s really there just to attract the hackers--and even entire networks of such machines (often running as virtual machines on a single physical box). Let’s look at how you can make a honeypot or honeynet part of your intrusion detection and prevention strategy and how it can grow as your "real" network does.
How the honey attracts the flies
A honeypot or honeynet acts as the foundation of an online "sting" operation: it lures the bad guys in, where you can track their activities without exposing your production network to risk. This practice has become so popular that it even has its own blog site: the honeyblog.
While the honeypot computer appears to be part of your network, it’s in fact isolated and protected so that intruders who hack into it can’t reach the rest of the network. A key attraction of the honeypot is the resources stored on it, which are designed to look like sensitive or confidential files that hackers would find of interest. The honeypot is closely monitored so that intrusions can be detected early and tracked back to their source.
Honeypots can serve a secondary purpose of diverting attention from your production network so that the attackers leave it alone.
Deploying a honeypot or honeynet
Once you’ve decided to add a little "honey" to your intrusion detection/prevention strategy, you need to make several decisions, including:
- Where on the network to place the honeypot/honeynet
- Whether to deploy a single honeypot or a multi-computer honeynet
- Whether to use actual physical machines, virtualization software or honeypot software designed specifically to emulate multiple machines for honeypot purposes
Honeypot placement
You can place a honeypot on your internal network, but your normal network defenses would then protect it from being attacked from the Internet. An internal honeypot, however, might be useful for detecting attacks that originate inside the LAN. If the internal honeypot is attacked from the Internet, this would indicate deficiencies in your perimeter security, and if the honeypot is made attractive enough, might prevent your mission critical internal servers from being attacked first if such deficiencies do exist.
Many organizations connect the honeypot directly to the Internet. This makes it easily attacked and will usually result in a huge number of intrusions. However, a honeypot that’s this inviting may seem a little suspicious to a savvy hacker.
The most common practice is to place the honeypot on a DMZ or perimeter network, a subnet that sits between the Internet and your internal LAN and is protected by a firewall.
The honeypot or virtual honeynet machine should be a dedicated system that’s not used for anything else.
Growing the honeynet
For a small company, a single honeypot server may suffice. As your company grows larger and/or you become more adept in the uses of the honeypot to trap intruders, you can create a network of honeypots, or honeynet. Buying many physical machines for this purpose can get costly, but instead you can use virtualization software such as VMWare or Microsoft’s Virtual PC/Virtual Server to make it appear that you have dozens of vulnerable servers just waiting to be attacked. Each virtual machine has its own IP address and you can run different operating systems on different VMs. You can create virtual email servers to lure spammers, and so forth (do note that depending on the operating system, you may still need to pay for licenses for each virtual server).
You can even add fake 802.11 wireless access points to your honeynet. Since wireless networks are a favorite target of "war driving" intruders, a "honeyWAP" can attract and confuse those looking for open wireless networks. FakeAP by Black Alchemy Enterprises is an open source program that runs on Linux and lets you create 53,000 counterfeit access points. You can download it at http://www.blackalchemy.to/project/fakeap/.
Honeypot software
Other honeypot/honeynet software that you can use to set your trap includes:
- Honeyd is a daemon that runs on Linux and creates virtual hosts that can be configured so they appear to be running different operating systems and services. A single machine can emulate over 65,000 networked machines, and you can ping and traceroute the virtual machines. You can find out more and download it here: There is also a version of Honeyd for Windows.
- HoneyBOT is a Windows honeypot program that can mimic over 1000 vulnerable services on the network and captures and logs information about attempted attacks and intrusions. It runs on Windows 2000 or above and is offered by AtomicSfotwareSolutions as a free download at http://www.atomicsoftwaresolutions.com/honeybot.php
- NetBait creates pseudo-networks and diverts intrusion attempts from your real network to the fake ones. It is especially scalable as it comes in a version for small to medium sized organizations as well as an enterprise version. The former is a web-based off site service and the latter works as an in-house solution. You can read more at http://www2.netbaitinc.com:5080/products/
- Honeywall is a CD-ROM that can be used to deploy honeynets and is available from the Honeynet Project at http://www.honeynet.org/tools/cdrom/
As you get more involved in your honeynet project, you can use specialized software products that emulate particular types of servers or services. For example:
- Spampot is a fake SMTP server that emulates an open relay. You can download it from http://woozle.org/~neale/src/python/spampot.py
- ProxyPot emulates an open proxy, also designed to intercept spammers.
- Sandtrap is a wardialer detector that emulates an open modem and then logs caller ID and login attempt information.
Print/View all Posts Comments on this article
Legal Issues?
wmlundine | 06/01/06
|
 
Honeynets are seen as entrapment by some
jmgarvin | 06/01/06
|
|
Wheres the sting
Crikey | 06/01/06
|
|
I think honeypots can be used legally...
IT cowgirl | 06/02/06
|
SponsoredWhite Papers, Webcasts, and Downloads
- Oracle Web 2.0 Resource Library Oracle
- Calculate your energy savings with the IBM Power Configurator tool IBM
- The Social Enterprise: Using Social Enterprise Applications to Enable the Next Wave of Knowledge Worker Productivity Oracle
- Web 2.0 for the Enterprise: Setting the Foundation for Success Oracle
- IBM Power Systems offer a smart alternative to Windows servers IBM
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
What it takes to stay on the edge of innovation
Going green and managing costs during tough economic times
Taking chances with the core brand
Transforming the company and developing new delivery platforms
