Intrusion detection honeypots simplify network security

Low-cost, low-fuss honeypots are highly effective early-warning systems against external attacks and insider threats. We review three.

By Roger A. Grimes, InfoWorld |  Security, honeypots, intrusion detection

All honeypots must emulate one or more services, and to do so, they must listen on the TCP or UDP (or ICMP) ports for those services. Many honeypots emulate only a limited set of ports. KFSensor, Honeyd, and HoneyPoint all claim to emulate the entire range of TCP and UDP ports (0 through 65,535). I didn't test these claims in this review, but I have verified this on KFSensor and Honeyd in the past. Honeyd did all ports easily with the best performance. Although early versions of KFSensor could not do all ports, the latest enterprise versions can. Again, I have not tested HoneyPoint's claim.

Note: A honeypot cannot bind to a port that the underlying host operating system has already bound to. For example, Windows-based honeypots cannot emulate NetBIOS services unless file and printer sharing have been disabled on the host and SMB/CIFS have been turned off. This is to be expected.

I have noted in the accompanying honeypot features table whether or not the honeypot came with a particular emulated service built-in, without needing additional software or scripts. For a low-interaction honeypot, the more services you can emulate the better. In a Windows shop, it's almost essential to cover all of the popular Microsoft applications and services -- that's what the attackers will be looking for. KFSensor comes with the most built-in services, followed by HoneyPoint. A broad range of open source emulation scripts are available for Honeyd, but only a few come preinstalled.

Network emulation. KFSensor and HoneyPoint don't have any network emulation features at all, relying completely on the host and host network for all routing. Honeyd has extensive network emulation, faking not only entire routing schemes (including routes, hops, latency, and packet loss) but also the network stack of each emulated OS. It can fool Nmap and Xprobe fingerprinting scans. A single instance of Honeyd can make it appear as if 100 different systems are operating across a wide range of virtualized IP addresses. No other honeypot product can match it.

It bears noting, however, that most attackers don't do network fingerprinting and analysis. They look for a port, find it, and quickly try to see what it's running -- just a little bit of discovery, if that. In a small percentage of cases the attacker will run a detailed fingerprinting tool (such as Nmap or Xprobe2), and in those cases network stack emulation is important. But in the vast majority of attacks, Honeyd's detailed network-level emulation and granular accuracy is overkill. For honeypot purists or honeypot admins trying to hide well, it is an essential feature. For most of the rest of us, it's unnecessary.


Originally published on InfoWorld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness