Honeypots

A honeypot is a special computer system set up for the specific
purpose of attracting hackers. Generally, these servers will be
placed inside a firewall (although they might be outside) and
contain specific, known vulnerabilities which allow hackers to
gain access. Once inside, a good honeypot contains an immense
amount of seemingly attractive targets and information to attempt
to cause the hacker to spend time on the system. While the hacker
is spending this time, he is being carefully observed and traced.

There are several reasons for creating honeypots.

- They are often simply a way to get hackers to expend time and
energy on non-production systems. Because it appears to the hacker
that he's on a "real" system, there's a good likelihood that he
may just stop looking around the rest of the network. In other
words he's already got what he came for.

- A honeypot is a great way to test security. Let's say you produced
a new security product and you want to see if it's solid. You
could set up a honeypot behind this product, the "leak" it's
existence to some hackers. Now sit back and see if they get
through your defenses.

- Another reason for a honeypot is to attempt to get a hacker to
stay long enough so that you can identify him.

- As the hacker works his way through the honeypot system, he will
leave traces and his movements will be tracked. This can all be
saved for use in criminal trials at a later date.

In my experience, a honeypot is an extremely useful part of
security management. What I've seen others do is simple. Recycle
some older computers, not really useful for production anymore,
and install some "cool" applications and documents. Add some
reasonable security with a few known holes, and make sure the
system makes itself known on the network.

If you've got the time and money, I've found it's best to set up
the honeypot in it's own DMZ. A DMZ is a way to protect a network.
You set up one firewall, then your web servers, then another
firewall to protect your application servers. You do this because
the web servers need more exposure to the internet than your
application servers. Also, the application servers are much more
expensive and critical and thus deserve more protection.

So what you do with the honeypots is set up a third DMZ and add
one or more honeypot systems to them. Thus, you might put a
firewall, a honeypot, another firewall, your web servers, another
firewall and then your application servers. You can also just
leave the honeypots right on the internet if you want, although
that tends to make them too easy of a target.

And then you just let them sit there and attract hackers. Oh yes,
you have to be sure to keep extensive records of everything that
happens on these systems, just in case you need it later.

To see a list of article available for reprint, you can send an
email to:
mailto:article-list@internet-tips.net?subject=send_article_list
or visit
http://internet-tips.net/requestarticles.htm