Tips on Setting up a Windows Honeypot
Honeypots are valuable surveillance and early warning tools in network security. It may assume the form of a computer, database or network site that appears as part of a normal network, but is actually walled off from other resources and monitored to detect or deflect cyber attacks. It contains dummy servers and data that serve as a decoy to make attackers reveal their intrusion methods, and keep them occupied while system administrators work to ward off the threat.
Low Interaction Honeypots
A low interaction Windows honeypot, such as KFSensor, Specter and others, emulate operating systems and other services at risk of attack. Such honeypots are usually plug and play. Simply install the software, select the operating systems and/or services to emulate, make any changes to the default settings as required, and the honeypot is live.
KFSensor, a popular low interaction honeypot for Windows, monitors TCP, UDP and ICMP traffic for all ports to detect attacks, and when doing so also identifies the nature of attacks on file shares and Windows administrative services. It has a rule based signature engine where users may add their own scripts and database queries. To set it up, simply run the installer, agree to the terms and conditions, select the drive to install it to, and select from FTP, SMB, POP3, HTTP, Telnet, SMTP and SOCKS to emulate.
Specter, another popular low interaction honeypot for commercial Windows networks, touts its key strength as ease of installation, configuration and deployment. It uses a standard Windows installer. Launching the installer gives a simple GUI that guides the user through various options. Users can modify settings for the built-in alerting function, set email address and cell phone numbers for real time alerts, and fix intervals for “heartbeat” or regular email alerts. Specter monitors activity on 14 TCP ports, including seven traps and seven services. Traps detect intrusion, and services interact with the hackers, emulating the service. However, it cannot detect ICMP, UDP or any non-standard IP traffic.
Low interaction emulation based honeypots run in the same network or system, but do not have access to the actual operating system, and thereby contain the attacker’s activity. Being set up within the network, it captures internal threats, and reveals whether a computer inside the network is already infected.
The advantages notwithstanding, low intensity honeypots identify only known threats, making their effectiveness limited. Moreover, determined hackers can detect the presence of such honeypots. Installation on insecure or vulnerable operating systems, one with file shares open for example, could result in the hacker compromising the honeypot to harm other systems.
High Interaction Honeypots
High interaction honeypots, such as Symantec Decoy Server, and honeynets are complex solutions that reside in dedicated computers, parallel or in front of real operating systems and applications. They provide an open environment to capture all network activity. Such honeypots are very effective against both known and unknown threats, and provide valuable information on the nature of attacks, allowing effective safeguards against future threats.
Honeynets are a combination of two or more honeypots, with a gateway that acts as a wall, blocking the attacker from accessing the genuine network resources, and serving as the command and control center.
Setting up a honeynet requires the following considerations:
- Design the architecture, and most importantly, decide where to place the gateway. The most popular choice is at the perimeter or DMZ of the network, which allows forwarding all unsolicited Internet probes to the honeypot computer. Another choice is to set it up inside the internal network secured by perimeter defenses. This allows integration with internal networks and identifying whether another computer inside the network is already infected or if an employee or internal intruder is trying to break in.
- Build the gateway to support the architecture design. Common options are a harder to detect two-layer bridge, or a three-layer routing gateway. A popular virtualization software suitable for a Windows environment is VMWare, which allows running multiple operating systems at the same time. Set up VMware and launch the honeypot gateway using a dedicated computer with Windows XP or any other operating system.
- Install Data Control to prevent attackers from using the honeypot to launch an attack. If securing the network is the primary objective, contain all outbound traffic from the honeypot, but if learning more about the nature of threats is an objective, limit activity to the minimum level where attackers cannot harm other data. Implement counting and NIPS to accomplish this without warning the intruders off. Connection counting is limiting the number of outbound connections a honeypot may start. Network Intrusion Prevention Systems, or NIPS, disable known attacks, limiting the risk of mass scanning, or denial of service attacks that require many outbound connections.
- Install Data Capture to log all activity. The Honeynet Project captures three critical layers of data: firewall logs, network traffic and system activity. Direct the data to a centralized location for better analysis.
A good honeypot alerts when someone try to break in. One option is round the clock monitoring of network resources by system administrators, looking for spikes in activity. The alternative is deploying automated tools, such as Swatch, the Simple Watcher, which monitors log files for patterns described in a configuration file. When triggered, it can send email, ring the system, make a phone call or even run other commands or programs.
- Lance Spitzner. “Honeypots: Definitions and Value of Honeypots.” https://www.tracking-hackers.com/papers/honeypots.html. Retreived July 12, 2011.
- Spitzner, Lance “Specter: A Commercial Honeypot Solution for Windows.” https://www.symantec.com/connect/articles/specter-commercial-honeypot-solution-windows. Retrieved July 12, 2011.
- Spitzner, Lance. “Open Source Honeypots: Learning with Honeyd.” https://www.symantec.com/connect/articles/open-source-honeypots-learning-honeyd. Retrieved JUly 12, 2011.
- HoneyNet Project. “Know Your Enemy: Honeynets.” https://old.honeynet.org/papers/honeynet/. Retrieved July 12, 2011.