Conventional wisdom has stated for years that you should enable audit logs wherever possible on your networks and review those logs frequently. But audit logs can produce thousands of entries each day, making it easy for a critical alert to get lost in the mix. This is where honeypots come in.
Think of a honeypot as a bait system or network. Nothing on the honeypot is a functional part of your network and, aside from checking logs, no one has a valid reason for accessing the honeypot systems. Any entries logged by the honeypot generally refer to malicious activity being directed at your Windows systems.
Approximately a dozen companies make honeypots, which are available in all different sizes and configurations. Generally speaking honeypots fall into two categories: real and virtual. Both types have their advantages and disadvantages.
A virtual honeypot is basically an appliance designed to emulate a legitimate system. For example, if a hacker tried to break into the network by using an FTP-based attack, the honeypot could impersonate an FTP server. Real honeypots, on the other hand, run real operating systems (usually Windows or Linux) and real server software.
Virtual honeypot advantages
The advantages to using virtual honeypots are that they are far less expensive and more secure than real honeypots. Cases have been documented where hackers were able to infiltrate and take control of real honeypots -- which are real servers. Any vulnerabilities that would normally exist on a comparable server would also be present in the real honeypot, and the hacker can use it to stage an attack against a network.
Real honeypot advantages
If a virtual honeypot is less expensive and more secure than a real honeypot, why you would ever use a real honeypot? Real honeypots are more convincing. Think about it for a minute. A virtual honeypot is an emulator designed to behave in the way a real system would behave. However, if a hacker uses an obscure command in a hack attempt, there is a good chance the virtual honeypot will not know how to respond to the command as a real server would. This could instantly tip off the hacker to your honeypot.
If you're considering a honeypot, it's important to remember that checking honeypot logs is no substitute for checking all of your other security logs. As I mentioned earlier, any activity logged to the honeypot usually indicates a hack attempt, but that activity would only come from within the boundaries of your network perimeter or from a hacker who managed to penetrate your firewall and other defenses. You have got a serious problem either way. It pays to continually monitor your firewall logs for suspicious activity just in case. Sure it's a lot of work, but it's better to detect a potential attack early than have to do forensics later.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
More Information from SearchWindowsSecurity.com
- Article: Get your network hacked in 10 easy steps
- White Paper: How to detect hackers on your Web server
- Topic: Research intrusion detection and prevention techniques
This was first published in March 2005