A honeypot is a
tool commonly used in
computer security to learn more about
hackers. Honeypots are commonly mistaken for
defensive tools, when in
reality they are more
educational than anything.
The
idea behind a honeypot is that you
emulate or
create a completely
functional computing environment that can be
monitored and
controlled at all times. For
example, you may set up a
mail server on a controlled part of your
network with a
vulnerable version of
Sendmail (popular
Unix-based email server
software) installed on it. You can then watch as hackers
attack the computer, and gather
data about the types of attacks and how they are
implemented. The
danger with this
scenario is the
risk that the attackers will be able to use the vulnerable computer to launch attacks on your
internal network. This is why there are two ways of implementing honeypots.
The first way is described above. The thinking here is that you want the honeypot to be as realistic as possible. The
best way to emulate a real
environment is by
simply creating one. By using an actual vulnerable
system, you are
virtually assuring that you will be able to
dupe the hacker into believing that they have
cracked a "real live" computer. Again, the problem is the risk of actually being attacked. If a hacker
discovers that they have
stumbled onto a honeypot, they are not likely to be very
happy about that. A honeypot implemented in this
fashion should be as controlled as possible, and as far from your internal network as you can get it.
The
second way of implementing a honeypot is with software. There is lots of software that will simply run on an
open port of an existing server that will
emulate a vulnerable system. When a hacker connects to the system over the port, the system looks like it's running a
vulnerable application on the port. The problem with this implementation is the
realism. You can only make software
behave so close real...at some point the hacker is going to attempt to
execute a
command or
utilize a
function of the real software that the honeypot is not prepared for. Then, you'd better hope you have good
intrusion detection!
Overall, honeypots are a
valuable tool for the
information security professional, and they're one that I feel is under-utilized. They are not to be
misunderstood, however. Honeypots are not a defensive tool similar to intrusion detection or a
firewall. They are used almost
exclusively for
research.