Hassle-Free Honeypot: KFSensor
Honeypots can be tricky to configure as well as dangerous. Imagine leaving your home unlocked in order to find out who would burglarize it. That's pretty much the scenario with a honeypot.
Honeypots are used mainly for two purposes: in test networks to research the current threats that are in the wild, or as an added layer in a corporate network's security infrastructure. Honeypots are a great way to see what threats are getting past a network's primary defenses like the firewall or any anti-malware solutions in place.
Honeypots are traditionally Linux boxes residing in a firewalled network and containing no critical data. They require a high level of network administration and understanding of protocols and security. Lots of network administrators simply do not have the resources available to dedicate to implementing a honeypot.
For anyone new to honeypot configuration, there are several products available that are aimed at the novice and relatively easy to setup. However, these products are often lacking the robust capabilities of more complex solutions.
London, U.K.- based KeyFocus Ltd.'s KFSensor provides the best of both worlds -- simplicity in configuration and an abundance of information on what or who is trying to attack your network.
How It Works
KFSensor is a software-based solution designed to work on Windows networks. The software simulates common and not-so-common services typically found on a network. Simulated services include: IIS, HTTP, HTTPS, SMTP and Linux services. The ports associated with these services are monitored, and intruders are allowed just enough access for KFSensor to identify them, but not allow them complete entry.
You can choose to let the KFSensor monitor actual running services, by configuring them in native mode as well.
There is a GUI-based management feature that provides detail on intruders, referred to as "visitors" in the interface. The interface is viewable by port or by visitors. The interface provides IP and domain information of visitors, the port that intrusion was carried out on, and associated data and signatures.
So, Who's Out To Get Us?
Test Center reviewers installed KFSensor Professional Edition in a Windows domain environment with minimum security and no firewall. The product was installed on a Server 2003 box, with a running IIS server, Exchange server and a host of files and spreadsheets containing bogus data. A sweetened honeypot, indeed.
KFSensor was installed in no fewer than twenty minutes, before attacks were reported in rapid-fire sucession. Attackers scan the internet looking for vulnerable machines on a daily basis, and can scan thousands of computers at one time. The Test Center's domain was well within their radar. The most persistent attacks reported were attempts to launch a Symantec Anti-Virus vulnerability, SQL server exploits and spamware sent via the MS Messenger Service. Other attacks were made against IIS, Telnet and SMTP ports.
Lines of activity are color coded so an admin can quickly discern the most recent threats (which are displayed in red).
Of course, these attacks were relentless because of the lack of security on the test network. A typical, firewalled network with a solution like KFSensor in place would see significantly less activity, making the activity that did show up much more suspect because these are threats that are getting around established security.
Additional Features
KFSensor can log against an ODBC compliant database. Email alerting is supported. Other features include remote management and a Snort compatible signature engine.
The product comes in three versions, Standard, Professional and Enterprise. Pricing is based on the edition purchased and number of licenses. The vendor works with VARs and resellers to provide competitive pricing.
Bottom line
This is a cost-effective way to either find out more information about the types of threats across the Internet, or to add another sentry to an existing network that may be able to display threat information that UTMs, firewalls or anti-virus software cannot.