Intrusion Detection Honeypots Simplify Network Security

All honeypots must emulate one or more services, and to do so, they must listen on the TCP or UDP (or ICMP) ports for those services. Many honeypots emulate only a limited set of ports. KFSensor, Honeyd, and HoneyPoint all claim to emulate the entire range of TCP and UDP ports (0 through 65,535). I didn't test these claims in this review, but I have verified this on KFSensor and Honeyd in the past. Honeyd did all ports easily with the best performance. Although early versions of KFSensor could not do all ports, the latest enterprise versions can. Again, I have not tested HoneyPoint's claim.

Note: A honeypot cannot bind to a port that the underlying host operating system has already bound to. For example, Windows-based honeypots cannot emulate NetBIOS services unless file and printer sharing have been disabled on the host and SMB/CIFS have been turned off. This is to be expected.

I have noted in the accompanying honeypot features table whether or not the honeypot came with a particular emulated service built-in, without needing additional software or scripts. For a low-interaction honeypot, the more services you can emulate the better. In a Windows shop, it's almost essential to cover all of the popular Microsoft applications and services -- that's what the attackers will be looking for. KFSensor comes with the most built-in services, followed by HoneyPoint. A broad range of open source emulation scripts are available for Honeyd, but only a few come preinstalled.

Network emulation. KFSensor and HoneyPoint don't have any network emulation features at all, relying completely on the host and host network for all routing. Honeyd has extensive network emulation, faking not only entire routing schemes (including routes, hops, latency, and packet loss) but also the network stack of each emulated OS. It can fool Nmap and Xprobe fingerprinting scans. A single instance of Honeyd can make it appear as if 100 different systems are operating across a wide range of virtualized IP addresses. No other honeypot product can match it.

It bears noting, however, that most attackers don't do network fingerprinting and analysis. They look for a port, find it, and quickly try to see what it's running -- just a little bit of discovery, if that. In a small percentage of cases the attacker will run a detailed fingerprinting tool (such as Nmap or Xprobe2), and in those cases network stack emulation is important. But in the vast majority of attacks, Honeyd's detailed network-level emulation and granular accuracy is overkill. For honeypot purists or honeypot admins trying to hide well, it is an essential feature. For most of the rest of us, it's unnecessary.

Alerting and logging. A honeypot is useless without strong alerting and logging. All honeypots display connection attempts as alerts, either on the sensor or on a centralized console. Alerts should allow criticality levels to be set for each sensor, origination IP address, port, and even intrusion signature. All probes to a honeypot should be investigated, though some probes are more suspicious than others. A probe originating from a more secure network might indicate a more serious compromise, for example. For this reason, a defense industry client with a honeypot on a nongovernment network wanted the highest priority set on traffic originating from a distant government network that was classified. The client wanted their incident response team to be alerted immediately if a probe originated from the more sensitive network. KFSensor provided the most versatility in setting criticality levels, followed by Honeyd and then HoneyPoint.

Most honeypots allow alerts to be sent via syslog, email, and Windows Event logs (if hosted on a Windows computer). All alerts should be logged to a local database, and bonus points were given if logs could also be saved to an external database, especially if the database supported was SQL-based. All three products reviewed allow you to throttle alert messages so that one probing event -- say, a port scan -- doesn't trigger thousands of emails to the on-call support person.

Most honeypot products allow current alerts to be used to fine-tune future alerts, typically to filter out legitimate traffic. Fine-tuning a honeypot can take a few days, but a good honeypot simplifies the process. KFSensor easily provided the most flexibility in refining alerts. Right-clicking any alert opens up a "visitor rule" that can be greatly customized. Both HoneyPoint and Honeyd also had filtering features, but they were not as flexible or easy to implement.

Reporting. Management likes to see reports and pretty pictures, and everyone likes to see favorable trends over time. Unfortunately, I have yet to see a honeypot program with decent built-in reporting or anything near what we've come to expect in most computer security defense programs. HoneyPoint's 10 simple reports are easily enough to win the reporting category in this competition. I would like to see honeypot reporting mature to meet today's expectations.

Strange features. Honeypots can have some strange features, which are generally intended to capture more information about possible attackers. KFSensor has the most features of any honeypot in this review, but HoneyPoint wins the award for the strangest. HoneyPoint Trojans and HoneyBees (see the accompanying review) are awkward attempts to offer false lures -- namely, fake binary programs and fake Web and email traffic -- that MicroSolved hopes will lead to more specific information in tracking hackers. I'm doubtful of their overall usefulness, but at least MicroSolved is not providing tools to break into the remote hacker's computers as some past honeypot manufacturers have. Attacking an attacker is not only unethical, but illegal in most countries. HoneyPoint Trojans and HoneyBees do not cross that line.

The sweetest honeypot

KFSensor has long been the established leader in the honeypot world, and this hasn't changed. KFSensor is still the easiest and most feature-rich honeypot among the competition. Its single glaring weakness is the lack of built-in reports. Many honeypots, especially ones with distributed sensors and enterprise features, expect companies to have their own reporting tools and information needs. Still, a few basic reports would go a long way. HoneyPoint offers 10 basic reports, and Honeyd's open source community has offered simple add-ons to get the essential reporting functionality for some time.

HoneyPoint combines multi-platform support, built-in reports, alert tracking, and some unique features designed to trip up attackers, but it falls short of KFSensor in both functionality and ease. Honeyd is the most flexible and efficient honeypot you'll find, but also the most difficult to install and configure. Linux/Unix shops may be undaunted by the challenging setup, and attracted by the free price tag, but they too will likely be better served by KFSensor. Although KFSensor installs only on Windows, it can emulate the ports and services in a Linux/Unix environment (though not at the network stack level like Honeyd). 

You can read the individual, more detailed reviews at the links below. No matter which honeypot product you choose to run, or even if you simply turn an old computer into an early-warning system, your modest investment in time or money will pay off in more reliable security and greater peace of mind. Because when your firewall, IDS, antivirus software, and other security defenses fail -- and they all fail every now and then -- your honeypot will alert you to the problem. Setting up a simple honeypot is a small price to pay for a second line of defense.

Read the honeypot reviews:

  • KFSensor: The sweetest honeypot
  • HoneyPoint: A honeypot for Windows, Linux, or Mac OS X
  • Honeyd: The open source honeypot
  • Honeypots by the features: KFSensor, HoneyPoint, and Honeyd
  • Read the sidebar:

  • Intrusion detection on the cheap: Roll your own honeypot
  • This story, "Intrusion detection honeypots simplify network security," was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.

    Read more about security central in InfoWorld's Security Central Channel.

    Subscribe to the Business Brief Newsletter

    Comments