Honeypots: The sweet spot in network security

Computerworld - The role of decoy-based intrusion-detection technology, or "honeypots," is evolving. Once used primarily by researchers as a way to attract hackers to a network system in order to study their movements and behavior, honeypots are now beginning to play an important part in enterprise security. Indeed, by providing early detection of unauthorized network activity, honeypots are proving more useful to IT security professionals than ever.
This article looks at how honeypots work and how the technology is emerging as a key component in a layered approach to intrusion protection.
Definitions
A honeypot is a system that's put on a network so it can be probed and attacked. Because the honeypot has no production value, there is no "legitimate" use for it. This means that any interaction with the honeypot, such as a probe or a scan, is by definition suspicious.
There are two types of honeypots:

• Research: Most attention to date has focused on research honeypots, which are used to gather information about the actions of intruders. For example, the Honeynet Project is a volunteer, nonprofit security research organization that uses honeypots to collect information on cyberthreats.


• Production: Less attention has been paid to production honeypots, which are actually used to protect organizations. Increasingly, however, production honeypots are being recognized for the detection capabilities they can provide and for the ways they can supplement both network- and host-based intrusion protection.

How honeypots work
Honeypots can also be described as being either low interaction or high interaction, a distinction based on the level of activity that the honeypot allows an attacker. A low-interaction system offers limited activity; in most cases, it works by emulating services and operating systems. The main advantages of low-interaction honeypots are that they are relatively easy to deploy and maintain and they involve minimal risk because an attacker never has access to a real operating system to harm others.
In contrast, high-interaction honeypots involve real operating systems and applications, and nothing is emulated. By giving attackers real systems to interact with, organizations can learn a great deal about an attacker's behavior. High-interaction honeypots make no assumptions about how an attacker will behave, and they provide an environment that tracks all activity. Such conditions allow organizations to learn about behavior they would not otherwise have access to.
High-interaction systems are also flexible, and IT security professionals can implement as much or as little of them as they want. In addition, this type of honeypot provides a more realistic target, capable of detecting a higher caliber of attacker. High-interaction honeypots can be complex to deploy, however, and they require additional technologies to prevent attackers from using the honeypot to launch attacks on other systems.
Advantages of honeypots
Security experts say that honeypots can succeed in a number of areas where traditional intrusion-detection systems (IDS) have been found wanting. In particular, they point to:

• Too much data: One of the common problems with the traditional IDS is that it generates a huge amount of alerts. The sheer volume of this "noise" makes it time-consuming, resource-intensive and costly to review the data. In contrast, honeypots collect data only when someone is interacting with them. Small data sets can make it easier and more cost-effective to identify and act on unauthorized activity.


• False positives: Perhaps the biggest drawback of an IDS is that so many of the alerts generated are false. False positives are a big problem even for organizations that spend a lot of time tuning their systems. If an IDS continually creates false positives, administrators may eventually begin to ignore the system. Honeypots sidestep this problem because any activity with them is, by definition, unauthorized. That allows organizations to reduce, if not eliminate, false alerts.


• False negatives: IDS technologies can also have difficulty identifying unknown attacks or behavior. Again, any activity with a honeypot is anomalous, making new or previously unknown attacks stand out.


• Resources: An IDS requires resource-intensive hardware to keep up with an organization's network traffic. As a network increases in speed and generates more data, the IDS has to get bigger to keep up. Honeypots require minimal resources, even on large networks. According to Lance Spitzner, founder of the Honeynet Project, a single Pentium computer with 128MB of RAM can be used to monitor millions of IP addresses.


• Encryption: More organizations are moving to encrypt all their data, either because of security issues or regulations, such as the Health Insurance Portability and Accountability Act. Not surprisingly, more and more attackers are using encryption as well. That blinds an IDS's ability to monitor the network traffic. With a honeypot, it doesn't matter if an attacker is using encryption; the activity will still be captured.

1 2 3 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Jump to comments Security Additional Resources Microsoft DirectAccess and UAG: Better Together Here are some of the key reasons why you would want to run Unified Access Gateway with DirectAccess. Microsoft Case Study: Energy Firm Tightens Protection, Simplifies IT Work Review how one energy firm tightened protection and simplified IT work using business-ready security solutions. Sybase NEXT-GENERATION MOBILITY PLATFORMS In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions. Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase. White Papers & Webcasts Death to PST Files Download Now   Four Ways to Improve Your TSM Environment with a SEPATON VTL Watch Now The Tangled Web: Silent Threats & Invisible Enemies Download Now   Tape Killed the IT Guy Watch Now Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity Download Now   BRM: What You Can Do To Reduce Risk In Challenging Times Watch this webcast now! What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices Download Now   Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise? In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web". eGuide: Enterprise Security Smart Security Strategies for 2010. Read now!   Disaster Recovery 2008: Reduced Costs and Improved Performance How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this... All White Papers | All Webcasts Computerworld Reports 8 Questions To Ask About Your Intrusion-Security Solution Computerworld Technology Briefing: More than Business Value Computerworld Briefing: Staffing for Intelligence All Computerworld Reports Sign up to receive updates on the latest Security resources IT Jobs See All Jobs Post a job for $295 Go Jobs by SimplyHired   White Papers Death to PST Files Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity eGuide: Enterprise Security SEPATON Architecture: Designed for Data-Intensive Enterprises Getting the Job Done - Comparing Approaches for Desktop Software Control Why Email Must Operate 24/7 and How to Make This Happen US Military Command Prevents Zero Day Attack with Application Whitelisting Tripwire Log Center: Next Generation Log and Event Management Leverage the full power of VMware Get More from Your IT Budget The Tangled Web: Silent Threats & Invisible Enemies What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices Rock-Solid Web Protection for Endpoint Devices Foxwoods, the World's Largest Resort Casino Bets on SEPATON Can Heuristic Technology Help Your Company Fight Viruses? Preventing Data Loss When Migrating to Microsoft 2007 Protecting Against Targeted Cyber Attacks with Application Whitelisting The New Mobile Order Employee Web Use and Misuse Email Archiving: A Business-Critical Application Sponsored Links To get a better view of your entire data center, you need a better vantage point. Improve your vision with Hitachi IT Operations Analyzer - Free 30 day trial To get a better view of your entire data center, you need a better vantage point. Improve your vision with Hitachi IT Operations Analyzer - Free 30 day trial Stop malware without grinding performance to a halt with SonicWALL Cisco Unified Computing System: New Levels of Integration Diskeeper prevents fragmentation to boost speed and efficiency. Try Free! Discover the Four Trends Driving the Future of Data Centers Microsoft & Novell Interop-Ability Case Study: VTI Technologies Realizing Cost Savings Through Infrastructure Modernization Turn your desk phone and mobile phone into one with Sprint Mobile Integration. Stay informed with custom newsletters from Tech Dispenser Looking to add Unix/Linux functionality to Windows? Next-generation firewalls control applications and prevent threats. Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show Introducing: Project Icebreaker Improve your Modular Cooling System Now with Alcatel-Lucent and Save CA ARCserve r12.5 is More Than Backup! Download Trial Version Today Take the Netezza TwinFin TestDrive! Enterprise search helps employees get more done. Get the facts from Google. Let Progress Software help your business make progress. How Novell & Microsoft interoperability pays off for MoneyGram Now let 1000's access reports themselves with SAP Crystal Reports Server Northwestern Computer Information Systems Program Streamline IT Costs. Boost Performance with WAN Optimization Tolly Performance Report  "Citrix NetScaler with nCore Outperforms F5 BIG-IP" Are you gambling with your data? It is at risk. Find out and protect it. Link to www.trustlto.com ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Save up to 61% plus Free Cheesecake About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.