Honeypots

A honeypot is a special computer system set up for the specific purpose of attracting hackers. Generally, these servers will be placed inside a firewall (although they might be outside) and contain specific, known vulnerabilities which allow hackers to gain access. Once inside, a good honey pot contains an immense amount of seemingly attractive targets and information to attempt to cause the hacker to spend time on the system. While the hacker is spending this time, he is being carefully observed and traced.

There are several reasons for creating honeypots.

  • They are often simply a way to get hackers to expend time and energy on non-production systems. Because it appears to the hacker that he's on a "real" system, there's a good likelihood that he may just stop looking around the rest of the network. In other words he's already got what he came for.

  • A honeypot is a great way to test security. Let's say you produced a new security product and you want to see if it's solid. You could set up a honeypot behind this product, the "leak" it's existence to some hackers. Now sit back and see if they get through your defenses.

  • Another reason for a honeypot is to attempt to get a hacker to stay long enough so that you can identify him.

  • As the hacker works his way through the honeypot system, he will leave traces and his movements will be tracked. This can all be saved for use in criminal trials at a later date.

In my experience, a honeypot is an extremely useful part of security management. What I've seen others do is simple. Recycle some older computers, not really useful for production anymore, and install some "cool" applications and documents. Add some reasonable security with a few known holes, and make sure the system makes itself known on the network.

If you've got the time and money, I've found it's best to set up the honeypot in it's own DMZ. A DMZ is a way to protect a network. You set up one firewall, then your web servers, then another firewall to protect your application servers. You do this because the web servers need more exposure to the internet than your application servers. Also, the application servers are much more expensive and critical and thus deserve more protection.

So what you do with the honeypots is set up a third DMZ and add one or more honeypot systems to them. Thus, you might put a firewall, a honeypot, another firewall, your web servers, another firewall and then your application servers. You can also just leave the honeypots right on the internet if you want, although that tends to make them too easy of a target.

And then you just let them sit there and attract hackers. Oh yes, you have to be sure to keep extensive records of everything that happens on these systems, just in case you need it later.