MicroPower Systems

Honeypots were the one weakness for beloved children’s character Winnie the Pooh. Could the same be true for network attackers? Perhaps, but not if you’re using the same kind of honeypot. In computing, a honeypot is “a computer, data, or a network site that seems to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers” (in the words of Wikipedia). In other words, a honeypot is a network attacker trap.Honeypots should not be used for any actual business activity, or for any legitimate traffic at all. This ensures that any activity on the system can be classified as unauthorized. Obviously, it’s important to make sure that the honeypot really is completely isolated from your business’s network.Honeypots come in a number of different versions. For instance, a honeypot masquerading as an open proxy is referred to as a “sugarcane.” However, most honeypots can be classified in one of two varieties.

• Production honeypots are placed in the production network of companies or corporations. They are easier to deploy, but reveal less information about the actual attackers than research honeypots. The primary goal of a production honeypot is to attract attacks and lower risk in other areas of the organization.
• Research honeypots are most often used by non-profit research organizations or education institutions to analyze the tactics of the Blackhat computing company. Research honeypots do not benefit individual organizations, but are used to determine potential threats and develop protection against them. Given the difficulty of maintain one of these honeypots, they are used primarily by well-funded research, government, or military organizations.

Another type of honeypot masquerades as an open mail relay or open proxy (the “sugarcane” mentioned above) in order to foil spammers. These types of honeypots can determine the IP address of the spammer. Database honeypots run “trap databases” in order to protect against SQL Injection attacks.Honeypots can be linked together to provide even more security. Two honeypots on the same network are known as a “honeynet,” while a “honeyfarm” referes to “a centralized collection of honeypots and analysis tools” (again from Wikipedia).The idea of the honeypot is simple in nature, but provides a strong defense against malicious use of your company’s networks. Consider integrating one into your network before an attack, rather than as a retaliatory measure after your network has already been compromised.