Most honeypot products allow current alerts to be used to fine-tune future alerts, typically to filter out legitimate traffic. Fine-tuning a honeypot can take a few days, but a good honeypot simplifies the process. KFSensor easily provided the most flexibility in refining alerts. Right-clicking any alert opens up a "visitor rule" that can be greatly customized. Both HoneyPoint and Honeyd also had filtering features, but they were not as flexible or easy to implement.
Reporting. Management likes to see reports and pretty pictures, and everyone likes to see favorable trends over time. Unfortunately, I have yet to see a honeypot program with decent built-in reporting or anything near what we've come to expect in most computer security defense programs. HoneyPoint's 10 simple reports are easily enough to win the reporting category in this competition. I would like to see honeypot reporting mature to meet today's expectations.
Strange features. Honeypots can have some strange features, which are generally intended to capture more information about possible attackers. KFSensor has the most features of any honeypot in this review, but HoneyPoint wins the award for the strangest. HoneyPoint Trojans and HoneyBees (see the accompanying review) are awkward attempts to offer false lures -- namely, fake binary programs and fake Web and email traffic -- that MicroSolved hopes will lead to more specific information in tracking hackers. I'm doubtful of their overall usefulness, but at least MicroSolved is not providing tools to break into the remote hacker's computers as some past honeypot manufacturers have. Attacking an attacker is not only unethical, but illegal in most countries. HoneyPoint Trojans and HoneyBees do not cross that line.
The sweetest honeypot KFSensor has long been the established leader in the honeypot world, and this hasn't changed. KFSensor is still the easiest and most feature-rich honeypot among the competition. Its single glaring weakness is the lack of built-in reports. Many honeypots, especially ones with distributed sensors and enterprise features, expect companies to have their own reporting tools and information needs. Still, a few basic reports would go a long way. HoneyPoint offers 10 basic reports, and Honeyd's open source community has offered simple add-ons to get the essential reporting functionality for some time.
HoneyPoint combines multi-platform support, built-in reports, alert tracking, and some unique features designed to trip up attackers, but it falls short of KFSensor in both functionality and ease. Honeyd is the most flexible and efficient honeypot you'll find, but also the most difficult to install and configure. Linux/Unix shops may be undaunted by the challenging setup, and attracted by the free price tag, but they too will likely be better served by KFSensor. Although KFSensor installs only on Windows, it can emulate the ports and services in a Linux/Unix environment (though not at the network stack level like Honeyd).
You can read the individual, more detailed reviews at the links below. No matter which honeypot product you choose to run, or even if you simply turn an old computer into an early-warning system, your modest investment in time or money will pay off in more reliable security and greater peace of mind. Because when your firewall, IDS, antivirus software, and other security defenses fail -- and they all fail every now and then -- your honeypot will alert you to the problem. Setting up a simple honeypot is a small price to pay for a second line of defense.
Read the honeypot reviews:
- KFSensor: The sweetest honeypot
- HoneyPoint: A honeypot for Windows, Linux, or Mac OS X
- Honeyd: The open source honeypot
- Honeypots by the features: KFSensor, HoneyPoint, and Honeyd
Read the sidebar:
This story, "Intrusion detection honeypots simplify network security," was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.
Read more about security central in InfoWorld's Security Central Channel.
This story, "Intrusion detection honeypots simplify network security" was originally published by InfoWorld.