Essentials First: Honeypots
“...When having a smackerel of something with a friend, don’t eat so much that you get stuck in the doorway trying to get out....”—Winnie the Pooh, Pooh’s Little Instruction Book
You are probably wondering what Winnie the Pooh and his predilection with honey are doing in a book about network security. It’s less about Pooh and more about the analogy. Pooh was always getting himself in trouble because he would always be attracted to the honey and then eat too much. If my memory serves, the preceding quote is from Pooh after he snuck into Rabbit’s house and found all the honey. He then helped himself and upon trying to leave found himself stuck in the hole (yes, I have three children). That’s essentially the purpose of a honeypot: It brings in the hacker/black-hat types and traps them there so that you can log their activities.
This portion of the chapter covers honeypots to demonstrate that, just as an active device such as an IDS has a role in securing your network, so does a passive device such as a honeypot, which does not have the same limitations as an IDS.
Honeypot Overview
Until this point, this book has not discussed taking the fight to the attackers, so let’s refocus. First, a definition: Honeypots are highly flexible computer system security tools with different customizable applications used to expressly lure and “trap” people who attempt to penetrate your organization’s computer systems through probes, scans, and intrusions. This target audience includes the hacker, cracker, and script kiddie, regardless of their location in the world. When I first heard of the honeypot concept, I was confused. Why in the world would you want such a device on your network? It seems to me that having a computer designed to let attackers hack into would not serve much of a purpose. As it turns out, if correctly implemented and closely monitored, these network decoys serve a threefold purpose:
• Honeypots distract attackers from more valuable resources on your network, thus allowing the protection of your resources by distracting attackers to devices that they presume are real.
• Honeypots provide early warning about new attacks and intrusion attempts. IDS can generate false positives, whereas those who are likely to intend harm access only a honeypot because it is nonproductive.
• Honeypots allow for an in-depth examination of an attacker’s activities during and after the exploitation of the honeypot. This might seem like something only someone involved in research might do, but think about what you can learn. You can use this education to ensure that the real security resources on your network are correctly configured or patched.
Lance Spitzner, an expert on honeypot systems, documents them in a series of articles titled “Know Your Enemy” as a part of the Honeypot Project (www.honeypot.net). He describes how to track attackers through the system to gain sufficient information about how they operate in these articles.
Clearly, the problem of false positives discussed in the IDS section is not a real issue with honeypots. Specifically, if an attack happens to a honeypot, a passive but monitored device, you will know it. This actually means that detection of attacks is no longer much of an issue, is it? In the real world, you often see honeypots deployed on a demilitarized zone (DMZ); however, the honeypot is not listed in DNS, WINS, or registered, nor is it linked to a production machine in any way. If the honeypot begins to get scanned from hosts within the DMZ, that tells you something. What if the honeypot is inside the network and it gets attacked? These placements of honeypots are passive in that they are waiting for someone to attack them.
The design and intent of honeypots fall into two categories:
• Production honeypots: Used by organizations concerned with the security of their networks; we focus on these. A production honeypot is typically deployed with a certain goal or intent in mind. They are easy to use, capture only limited information, and are used primarily by companies or corporations.
• Research honeypots: Just the opposite. They are complex to deploy and maintain, capture extensive information, and are primarily used by research firms, military, and government organizations.
Note
There is currently some question as to the legality of honeypots and whether they fall under the banner of wire-tapping devices. As silly as that sounds, the FBI and other law-enforcement agencies are still battling over this question.
In addition, honeypots can be classified by their function, as follows:
• Port monitors: A rather straightforward type of device, these honeypots listen on ports targeted by attackers. By design, they respond to port scans, thus letting the attacker attempt to connect. These types of honeypots log connection attempts on a port.
• Deception systems: Take the next step from just monitoring a port and deceive attackers by interacting with them as a real system would. This means that, instead of just replying on TCP port 110 such as an email server configured for POP3, a deceptive honeypot responds as if it were a real mail server. Deception systems do not implement every aspect of a mail server; rather, they implement just enough to make it sweet as honey to an attacker.
• Multideception systems: Increasing yet another level are the more advanced honeypots that not only enable multiple services that can be emulated, but can also simulate different operating systems. One of the most commonly used tools for this purpose is Specter, which you can find at www.specter.com/.
Note
You can explore additional aspects of honeypots where there are entire systems dedicated as honeypots. Then, the detection is taken a step further through the use of an IDS when honeypots are in use. You can find one of the best resources for honeypots at www.honeypots.net/honeypots/links. You can also download a freeware honeypot for Win32 machines called, of all things, “Honey Potter” from http://honeypott4.tripod.com/. It is a basic piece of software (it is free, after all) that provides an introduction to honeypots.
Honeypot Design Strategies
Perhaps the clearest and most present danger is that when your honeypot works correctly, it detects attackers coming after your network and its resources. In practice, this means that you already have a criminal in some part of your network. As a result, you must take care of a few items to ensure the security of the network.
Use a firewall! Yes, a firewall—even though the honeypot is designed to let attackers in, still use a firewall to ensure that they do not get too suspicious. Create a rule set that allows basic Internet functionality out from the honeypot back to the Internet. Experts recommend that you should allow all inbound traffic to reach the honeypot, but allow only FTP (ports 20/21), ICMP, and DNS (port 53) outbound.
Figure 11-6 includes basic/simplistic honeypot architecture showing you potential locations for honeypots within your organization’s network.
The way you can see an attacker’s activities is through various logs and through the actual honeypot logs. Failure to ensure that these are working will make your life difficult and basically nullify your entire motivation for setting up a honeypot.
Note
Some people feel that capturing criminals in this manner is something that should be considered a form of entrapment. This is a misconception because honeypots are not active lures—they do not advertise themselves. A honeypot is not stumbled into by any legitimate user, and a good user would never “root kit” you.
Honeypot Limitations
Even with all their benefits, honeypots do not fix a single security problem. Instead, they are used for misdirection, prevention, detection, and information gathering by being closely monitored and designed to look like something they are not for the attackers to hack into. Conceptually, this means that a honeypot should not be used for production because its value lies in being probed, attacked, or compromised. A honeypot has many benefits; it also has the following limitations:
• Open-Door: If the system does indeed get hacked, it can be used as a stepping-stone to further compromise the network.
• Complexity: Honeypots add complexity. In security, complexity is bad because it leads to increased exposure to exploits.
• Maintenance: Honeypots must be maintained, just like any other networking equipment/services.