Sticky Security

The joy of watching the old Mission: Impossible TV shows was in following the team of super secret agents as they laid a trap for the bad guy. The evil one inevitably succumbed to the lure set by the heroes through his greed or hubris, usually the latter.

That's the sort of thing that can happen with an increasingly popular network security technology called a honeypot. Although there are many types of honeypots, they all have the same purpose: to attract sophisticated black-hat hackers, malicious script kiddies and, more often than we care to admit, disgruntled internal employees into a highly protected system that emulates a production environment.

Once the bad guy enters a honeypot, his actions can be monitored, letting you know what kind of attack is imminent or under way. A honeypot can even be used to help trace an intruder back to his home base and maybe catch him red-handed, though that's seldom the goal.

The way a honeypot works is simple. You set up a server inside your firewall with software that can emulate everything from simple e-mail or file transfer protocol functions to a full-fledged operating system running a production database.

The trick is that none of your internal traffic is linked to the server. The honeypot is isolated from everything else. Absolutely no users are directed to it. So, by definition, anyone pinging, probing or prowling around the honeypot either typed in the IP address by accident or, far more likely, is up to no good.

"A honeypot is like a mousetrap," says Ryan Barnett, a senior security engineer at RS Information Systems Inc. in McLean, Va. "Anything you catch in it is a problem."

Intrusion-detection systems, the security cousin to honeypots, which defend production servers against digital marauders, generate so much information about potential, real and, annoyingly, false problems that it's often difficult to sift through everything to see what bad things are going on. Augmenting an IDS with a honeypot would give you details about the nature of an attack and the best way to defend against it.

This is particularly true when a zero-day virus hits your network. Tracking its nasty actions on production systems can be time-consuming, because you need to filter out other activity. But in a honeypot, there's nothing else to track, so you'll know how the virus is wreaking havoc and more quickly learn how to squelch it.

There are drawbacks. First, just because you have a honeypot doesn't mean that a cracker will dip into it. Attacks could be happening elsewhere on your network, leaving your honeypot untouched because its IP address wasn't discovered and hacked. That's why you still need your IDS.

Another problem, of course, is the cost -- not necessarily the price of the software, because some of it is free, or the hardware, which can be a simple Pentium machine, but in the manpower required to set it up. Building a high-interaction honeypot, which can emulate a complete network with multiple operating systems faking elaborate production operations, involves significant overhead.

There's also a bit of risk. If you go with a high-interaction system and overlook a detail or two in setting it up, you can actually give the intruder too much reality and allow him to slip onto your production network.

That's why Symantec's John Harrison, who has written about honeypots for, advises users with high-interaction honeypots to set up their systems so that they immediately shut down when an attacker's activity reaches a certain threshold.

Then there's the legal quagmire. If you're watching an attack that involves moving packets in and out of your honeypot from innocent computers that have been hijacked and you look inside the data or payload of the packets, you might be violating privacy laws. There are no legal precedents here, so it's wise to establish and publish policies that tell the world that it is your standard procedure to sniff packets on the network.

Some critics also suggest that a sophisticated black-hat hacker won't fall prey to a honeypot. They argue that you'll catch only script kiddies and internal malcontents. Perhaps. But thwarting either of those types of invaders is hardly a bad thing.

For the vast majority of users, low-interaction honeypots are the best approach. The investment and the risks involved with high-interaction honeypots are too high, especially since you may not nab the most malicious prey. But the payback for low-interaction systems is well worth it.

As more honeypots get deployed, intruders will have to wonder whether they have actually hacked something useful or are fruitlessly pawing inside a honeypot. That itself can be a deterrent. Like knowing that the Impossible Mission Force is out there, ready to spring its trap.

Mark Hall is a Computerworld editor at large. Contact him at

Special Report

Souped-up Security

Stories in this report:


Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon