A honeypot is fictitious, from a security perspective vulnerable system that is purposely set as trap for non-legitimate users and attackers. For example, if one suspects unauthorized access to personal files a honeypot system can be set up. Such systems serve as additional security measures and are used to defend against espionage or to protect critical data.
Monitoring of data access and events using logging mechanisms.
Filtering of data packets.
- Intrusion Detection
Complete monitoring of all system access.
The system itself needs to be supervised to detect any changes to data.
Once illegal access is detected relevant events need to be escalated and appropriate measures should to be taken.
Basic prerequisites for operating a honeypot system:
- No firewall
- Port monitor or HD-hub layer-2 Ethernet to allow monitoring
- Sniffer for packet analysis
- Central control for analysis and event detection
Commercial as well as free honypot packages are available since 1999. Due to their low cost free solutions are useful for testing purposes and possibly also for long-term usage.
Any analysis requires a reliable time scale. Therefore it is necessary to integrate with timekeeping systems that should be tested for their trustworthiness. In practice NTP servers fulfill this task very well.
A honeypot system should not easily be recognized as such or else it looses its purpose. Important considerations include carefully chosen file names, DNS entries and host names.
- Emergency break
There should always be an option to pull an emergency break. In case an attacker is about to access other critical systems within the intranet or threatens to cause major damage to the logging system a shutdown should be possible. This can be achieved by a script or a special IP filtering rule.