Honeypot
 

What is a Honeypot

A "honeypot" is a tool that can help protect for network from unauthorized access. The honeypot contains no data or applications critical to the company but has enough interesting data to lure a hacker. A honeypot is a computer on your network the sole purpose is to look and act like a legitimate computer but actually is configured to interact with potential hackers in such a way as to capture details of their attacks. Honeypots are known also as a sacrificial lamb, decoy, or booby trap. The more realistic the interaction, the longer the attacker will stay occupied on honeypot systems and away from your production systems. The longer the hacker stays using the honeypot, the more will be disclosed about their techniques. This information can be used to identify what they are after, what is their skill level, and what tools do they use. All this information is then used to better prepare your network and host defenses.

The honeypot can be used to augment the deployment of an IDR system. Some of the problems with commercial IDR include inability for detection of low level attacks, techniques or tools that are new or not previously known, or use of techniques that may appear as legitimate user activity. To a certain extent, the honeypot is also subject to missing new attacks. However, the honeypot is uniquely capable of letting you know that some hacker is in your network doing things they have no business doing. The honeypot may spot them because as far as other security measures (including IDR) are concerned they are legitimate users.

A honeypot is a simply a system program or file that has absolutely no purpose in production. Therefore, we can always assume that if the honeypot is accessed, it is for some reason unrelated to your organization purpose.

The workhorse of all honeypots is honeyd. It simulates an entire environment and is available from http://www.honeyd.org/.

Another type of honeypot is called a Proxypot, which is a proxy server with no access control. The open proxy honeypot allows internet clients to connect and make requests to the proxy server for connection to internet hosts, even those that are behind the proxy server. This allows server traffic to be examined to detect various threats including distributed password account quessing, nessus web vulnerability scans, and proxy chaining.

There is also a honeypot program is called the Deception Tool Kit, which can be downloaded from http://www.all.net/dtk/index.html. You can configure the responses for each port.

Honeypots are probably one of the last security tools an organization should implement. This is primarily because of the concern that somebody may use the honeypot to attack other systems.