Sticky security

  • Mark Hall (Computerworld)
  • 26 January, 2004 15:41

The joy of watching the old Mission: Impossible TV shows was in following the team of super secret agents as they laid a trap for the bad guy. The evil one inevitably succumbed to the lure set by the heroes through his greed or hubris, usually the latter.

That’s the sort of thing that can happen with an increasingly popular network security technology called a honeypot. Although there are many types of honeypots, they all have the same purpose: to attract sophisticated black-hat hackers, malicious script kiddies and, more often than we care to admit, disgruntled internal employees into a highly protected system that emulates a production environment.

Once the bad guy enters a honeypot, his actions can be monitored, letting you know what kind of attack is imminent or under way. A honeypot can even be used to help trace an intruder back to his home base and maybe catch him red-handed, though that’s seldom the goal.

The way a honeypot works is simple. You set up a server inside your firewall with software that can emulate everything from simple e-mail or file transfer protocol functions to a full-fledged operating system running a production database.

The trick is that none of your internal traffic is linked to the server. The honeypot is isolated from everything else. Absolutely no users are directed to it. So, by definition, anyone pinging, probing or prowling around the honeypot either typed in the IP address by accident or, far more likely, is up to no good.

Intrusion-detection systems, the security cousin to honeypots, which defend production servers against digital marauders, generate so much information about potential, real and, annoyingly, false problems that it’s often difficult to sift through everything to see what bad things are going on. Augmenting an IDS with a honeypot would give you details about the nature of an attack and the best way to defend against it.

If you go with a high-interaction system and overlook a detail or two in setting it up, you can actually give the intruder too much reality and allow him to slip onto your production network.

That’s why users should set up their systems so that they immediately shut down when an attacker’s activity reaches a certain threshold.

For most users, low-interaction honeypots are the best approach.