To Trap A Thief

By Mathew Schwartz, Computerworld |  Operating Systems

If you want to break into a house, why spend time prying open the front door if the back door is wide open? Same goes when breaking into computer networks. Most networks and servers are set up with configuration errors that are well known to hackers, who can download free tools that will scan many different networks looking for those easy-open entry points. No genius-level code manipulation or high IQ is needed.

Your network administrators haven't had time to install the latest Microsoft Windows NT security patch yet? Great. A consultant left obvious root access passwords on the firewall he built for you? Even better.

Things get interesting, however, when a security administrator purposely leaves a back door open but hides a tripwire behind it. Now the security person knows when an intruder trips the wire and, with luck, the perpetrator can be caught or scared away before causing any damage.

That's the theory behind "honeypots," which are servers and network equipment designed to attract hackers into secure lockboxes rather than let them hack at the network proper. When criminals move in to exploit security flaws in a honeypot, silent alarms go off and network managers can block the intrusion, begin amassing evidence for use in court or even launch a counterattack.


Core Elements

*Looks and behaves as if real

*Doesn't disclose its existence at any point

*Is partially disabled so hackers can't still take it over

*Has a dedicated firewall that prevents all outbound traffic, in case honeypot is compromised

*Lives in a network DMZ, untouched by normal traffic

*Sounds silent alarms when any traffic goes to or from it

*Begins logging all intruder activity when it first senses intrusion

There are two types of honeypots. Hardware-based honeypots are servers, switches or routers that have been partially disabled and made attractive with commonly known misconfigurations. They sit on the internal network, serving no purpose but to look real to outsiders. The operating system of each box, however, has been subtly disabled with tweaks that prevent hackers from really taking it over or using it to launch new attacks on other servers. A honeypot is easy enough to build, but if an experienced cracker succeeds in compromising it, he could use it to launch other attacks.A safer option might be to create an entire network of honeypots, such as the HoneyNet Project. Lance Spitzner, a security consultant at Sun Microsystems Inc. in Chicago, runs the project with 30 other security professionals.

Join us:






Answers - Powered by ITworld

Ask a Question