Honeypots
A honeypot is a special computer system set up for the specific
purpose of attracting hackers. Generally, these servers will be
placed inside a firewall (although they might be outside) and
contain specific, known vulnerabilities which allow hackers to
gain access. Once inside, a good honeypot contains an immense
amount of seemingly attractive targets and information to
attempt to cause the hacker to spend time on the system. While
the hacker is spending this time, he is being carefully observed
and traced.
There are several reasons for creating honeypots.
- They are often simply a way to get hackers to expend time and
energy on non-production systems. Because it appears to the
hacker that he's on a "real" system, there's a good likelihood
that he may just stop looking around the rest of the network. In
other words he's already got what he came for.
- A honeypot is a great way to test security. Let's say you
produced a new security product and you want to see if it's
solid. You could set up a honeypot behind this product, the
"leak" it's existence to some hackers. Now sit back and see if
they get through your defenses.
- Another reason for a honeypot is to attempt to get a hacker to
stay long enough so that you can identify him.
- As the hacker works his way through the honeypot system, he
will leave traces and his movements will be tracked. This can
all be saved for use in criminal trials at a later date.
In my experience, a honeypot is an extremely useful part of
security management. What I've seen others do is simple. Recycle
some older computers, not really useful for production anymore,
and install some "cool" applications and documents. Add some
reasonable security with a few known holes, and make sure the
system makes itself known on the network.
If you've got the time and money, I've found it's best to set up
the honeypot in it's own DMZ. A DMZ is a way to protect a
network. You set up one firewall, then your web servers, then
another firewall to protect your application servers. You do
this because the web servers need more exposure to the internet
than your application servers. Also, the application servers are
much more expensive and critical and thus deserve more
protection.
So what you do with the honeypots is set up a third DMZ and add
one or more honeypot systems to them. Thus, you might put a
firewall, a honeypot, another firewall, your web servers,
another firewall and then your application servers. You can also
just leave the honeypots right on the internet if you want,
although that tends to make them too easy of a target.
And then you just let them sit there and attract hackers. Oh
yes, you have to be sure to keep extensive records of everything
that happens on these systems, just in case you need it later.
To see a list of article available for reprint, you can send an
email to:
mailto:article-list@internet-tips.net?subject=send_article_list
or visit http://internet-tips.net/requestarticles.htm