Honeypot: A Decoy To Lure Hackers

Although technically related to intrusion-detection systems and firewalls, honeypots have no real production value as an active sentinel of networks. That is, they aren't set up to actively protect against break-ins. Rather, they act as decoy systems that appear vulnerable to outside attack,and therefore are attractive to hackers. The more a honeypot is targeted by an intruder, the more valuable it becomes.

Any traffic on a honeypot can be assumed to be suspicious because the system wasn't meant for internal use in the first place, and the information collected about these attacks can be used proactively to update vulnerabilities on a company's live network.

Because the only information honeypots collect is "bad" information, there is less for security policy analysts to sift through and it can be much easier to analyze the data they collect and discern patterns, according to security experts.

There are two basic types of honeypots: high interaction, which essentially give hackers a "real" environment to attack, and low interaction, which emulate product environments and therefore provide more limited information. Multiple honeypots can also be networked together to simulate a larger network installation as part of an architecture known as a honeynet.

"Honeypots and honeynets and any of the deception technologies are really used in specialized cases," said Char Sample, senior network security programmer at Verizon Federal Network Systems, a services arm of the telco with its base in Columbia, Md. Sample said certain users within the military and other government agencies with sites highly

targeted by hackers and other cybercriminals are deploying honeypot or honeynet technology to their benefit. These users are on the leading edge of security policy.

On the other hand, many commercial users are still struggling with larger issues, such as how to correlate all the information they glean from their live intrusion-detection systems on a regular basis, Sample said. And that means they might not yet be candidates for a honeypot deployment, she said.

Verizon offers a commercialized honeynet dubbed NetFacade, which runs on Solaris. The software-only edition of the product is priced starting at $19,850, Sample said.

But a honeypot can actually be deployed with a minimal amount of IT resources, such as a single Pentium system, she added.

So far, however, many businesses are still fighting threats reactively and are having a hard time managing the information from those attacks, other security solution providers said.

Gary Morse, president and founder of Razorpoint Security Technologies, a New York security services firm that is paid by companies to test the vulnerability of their networks, said honeypots are being used very little today, but there is growing interest in them. "You can use it for a security that is called misdirection, to try to make a hacker think this [network] segment is more vulnerable than that segment," Morse said.

Pat Grillo, president and CEO of 20-year-old solution provider Atrion Communications Resources, Branchburg, N.J., said, "So far we haven't sold a lot of honeypots yet, but we do have people looking at starting to use it. Anything you can do to make it a little more difficult."

Aside from Verizon, well-known commercial vendors that have dipped into the honeypot space include Symantec, which is taking part in well-

established honeypot research projects, and NFR Security, which offers a free product dubbed Back Officer Friendly, which it developed in 1998 to protect against Back Orifice scans.

That software has since been updated to detect attempted connections to Telnet, FTP, SMTP, POP3 and IMAP2, and it can be downloaded for free from the NFR Security Web site.

"It's a great entry point for folks that don't know a lot about honeypots," said Andre Yee, CTO and vice president of product operations at NFR Security, Rockville, Md. "It's our contribution to the broader security community that we continue to offer this."