Fabulous Five Inc.
Honeypots are a relatively new tool used to monitor and/or detect intruders on a network. The name Honeypot comes from the cliché that it is easier to catch flies with honey rather than vinegar. Although they may sound sweet, if properly installed and maintained, they will definitely have a bitter effect on the intruders. The need for a Honeypot depends on the size and type of network that needs to be protected.
A Honeypot is a closely monitored server designed to be broken in to and acts as a decoy for potential hackers. Honeypots are setup on the network with no production value. Since no one in the company has a reason to utilize any services from these servers, any activity can be considered an attack. To lure in the intruders, the Honeypots are setup with known vulnerabilities. In addition to acting as a decoy, they can also provide an in-depth examination of hackers during and after the break-in of the Honeypot. This includes auditing the activities of hackers by saving log files, started processes, compiles, file changes, and recording keystrokes. This information provides Honeypot authorities with the knowledge of new hacking techniques and trends. This knowledge helps the IT staff to find and implement new defensive measures.
The purpose of installing a Honeypot is for network security. Other network monitoring devices allow you to see increased data flow, but it is nearly impossible to tell if the intrusion is real data traffic, or intruders hacking the system. The time gap between realization of an attack, finding the weak point, and patching the problem allows intruders more time to gather data from the network and possibly install backdoors to the system. More than 80% of all financial losses are due to attacks coming from inside the network itself. This means that the intruder has already breached the firewall designed to protect the network from outsiders. A Honeypot is the next layer of defense.
Some questions must first be answered before deciding on the placement of a honeypot. The placement will rely heavily on what type of information is being protected, where the information is currently stored, who is going to have access to the honeypot, who would be interested in the information on their system, and what would possible unauthorized users want with the information. With these questions in mind, the system engineer will need to determine whether the honeypot should be tightly secured inside the networks firewall so that any activity would indicate an attack from an inside user or open to the internet which will be inviting outside attacks. Placing a honeypot in the right place is crucial. To have a wide spectrum of attacks and the possibilities to recognize characteristics for certain attacks based on the kind of network (like productive, educational or military), having multiple honeypots in different networks is important.
Physically installing a Honeypot at each location to protect that segment of the network would be incredibly time consuming and tedious. The best general solution would be to install the servers in a Honeypot farm configuration. This allows all the servers to be installed in one central location and the current IT staff can patch, upgrade, and monitor all the systems without having to travel to the remote locations. A redirector is setup by the IT staff and shipped out to be plugged into the network at the remote facility. The redirector acts as a relay. When some tries to access the redirector on that segment of the network they are redirected without their knowledge back to the Honeypot farm where the IT staff is monitoring their every move. This allows them to monitor the intrusions to the network in real time and increases their response time for patching and securing the real network.
The installation of a Honeypot or a Honeypot farm will bring a higher level of security to the network, if it is properly maintained. An unmanaged honeypot is a dangerous device. Without constant surveillance an attacker can gain control of a honeypot and use it to launch attacks on the host network and possibly as a pass through to attack other networks; this could have legal repercussions for the owning company. Honeypots are a valuable network security tool, but much like the ocean, you should never turn your back on them.