Honeypots - Analyzing Your Network Attacks

Page content


Honeypots are used in network security as a passive means of network defense against attack. Honeypots in general are computers located on a network or in the DMZ (demilitarized zone) of your firewall. These computers are used to give attackers a false sense that a real computer is being analyzed. Most honeypots have database and websites that appear to be authentic. These databases and websites are loaded with files that are not authentic.

The information in honeypots are well designed to ’look and feel’ like the attacker has found ligitimate data. System administrators leave vulnerabilities on the honeypots so the attacker can get in and see the data.

Why use a honeypot?

Why use a honeypot? Because of the honeypot’s design, it serves a purpose and allows for the follow:

  • Security Analyst can use the information gained on a honeypot to see who is attacking the computer. This in turn allows for the possible blacklisting of the IP address at the firewall level to filter the malicious attacker.
  • Analyst can also use the information gathered to see the attacking technique used to gain access to the computer. This information becomes valuable to security analyst and helps to prevent attacks on real servers.
  • Honeypots can provide an early defense alert. The attack can be a warning of future attacks.
  • Honeypots deflect the attention of the attacker away from ‘real’ servers.
  • Logs provide information on the extent of an attack by users.

Types of Honeypots

The different types of honeypots used in a network environment serve different purposes. The production honeypot is used to examine and analyze information during and after an attack. This information as stated above can be used to protect real servers. The research honeypot can be used in your organizations DMZ to gather information about the web and attacks on the web. This research often is used to provide information on how to protect computers in the future.

Are honeypots legal? It depends on who you ask. You have to consider the following liabilities:

  • Can the attacker use the honeypot to attack other organizations? Will you be responsible if this does happen?
  • If you prosecute the intruder, will the intruder say that you entrapped them?
  • (Training) Do you have the trained personnel to make sure the honeypot is not used as a cyber weapon against organizations?

If you deploy a honeypot, you should get legal advice. If you are given a green light, you must control the honeypot and monitor it daily. Honeypots are created with any server operating system that has logging enabled. Triggers should be set when key stages are ‘hacked’ in order to notify key network personnel. Firewalls and logs should be examined as often as possible and the validity of having a honeypot in place should be reviewed often during your operating year.