Honeypots are positioned to become a key tool to defend the corporate enterprise from hacker attacks, but some security watchers worry they could bring a new set of security worries with them.

Honeypots, which have been around for about 10 years but now are gaining interest and momentum, are digital decoys, of sorts. They are built to be probed and attacked -- an online come-on to blackhat hackers. Once the honeypot is attacked, security administrators can watch how the hacker moves around the system, and she can see what tools the hacker is using and what information he's going after.

It's a way to spy on your enemy.


And if you're lucky, it might even be a form of camouflage. Hackers could be fooled into thinking they've accessed a corporate network, when actually they're just banging around in a honeypot -- while the real network remains safe and sound.

"It's all about appearing to be something you're not to get the baddies to show their hand," says George Bakos, senior security expert at the Institute for Security Technology Studies at Dartmouth College in Hanover, N.H. "The information we glean from it is fantastic. You can observe details of the compromise -- what technology they use, their intent, motivations and the resources they went after. ...They give us a leading indicator of things to come."

With the information culled from honeypots, Bakos says administrators can refine their network defenses and better secure the company's critical information.

Bakos says honeypots are poised to become the third step in network perimeter security. The security line up will be filtering, detection and deception.

What is a honeypot?

There are a few types of honeypots. Hardware-based honeypots are made up of servers, switches and routers that are set up to mimic an actual productive network. They're usually spiced up with the addition of a few misconfigurations or unpatched security holes. The goal is for them to look real and operational, as well as inviting to a hacker.

There's also a form of a virtual honeypot. Software emulation honeypots are deception programs designed to appear to be a real working network. The honeypot program doesn't offer up any actual hardware for a sophisticated hacker to compromise but it also offers the added challenge of creating a simulation good enough to fool an intruder into thinking he's in a real network. That can be a complicated, and time-consuming task, for the average IT worker.

There also are honeynets, which are a network of honeypots, loaded up with real hardware, like Linux boxes, Cisco switches, Windows NT and Solaris. Lance Spitzner, an engineer at Sun Microsystems Inc., created the Honeynet Project with the help of about 30 other security professionals.

"Honeypots can be used to detect attacks and they can be used to get information about attacks," says Spitzner. "They're better than intrusion detection systems because they can give you a lot of false positives. You get 8,000 to 10,000 alerts a day with IDS. You don't know what to pay attention to. You get overwhelmed and you start ignoring it all. When a honeypot generates an alert, it's a real attack. No one should be connecting to it because it's not an actual production network. So if someone is on it, it's a probe or a scan or an attack."

Keith Rhodes, chief technologist at the U.S. General Accounting Office, says honeypots should be part of a company's defense structure.

"You set them up like fish bowls and watch what they're doing," says Rhodes, whose job is to test networks at government agencies, finding their weaknesses by breaking into them. "You set up a diversionary network and it buys you time while you watch them and see what they're doing. It's not the first line of defense. It's part of your defensive structure."

Rhodes notes that systems can be attacked in the blink of an eye and honeypots buy administrators needed time to find out what's going on.

"Most people who are serious about security are starting to use honeypots in one way or another," says Rhodes. "They're used a lot in the military. They want to pull their opponent in and watch them. The trick is to make it interesting to the person breaking in and to make certain they can't immediately figure out they're in a honeypot."

At the Vermont National Guard, honeypots are used to teach students in the Computer Emergency Response Teams, which teaches network security to military IT workers from all 50 states. They run an experimental network, gathering attack information to show their students what to look for and what to do when it happens.

Retired Sgt. Bill Scherr, a senior instructor with the Guard's Electronic Warfare Associates team, says they've harvested information about attackers from all over the world. And that's offered valuable lessons to the students who may be defending military networks from hacker attacks.

But despite the advantages, Scherr says honeypots are nothing to mess around with.

Sgt. First Class Carl Fortune, a computer specialist and instructor with the Vermont National Guard, says it's a more complicated technology than simply putting up a firewall or an intrusion detection system.

"You can put up a firewall and IDS, but you better know what you're doing if you're playing around with a honeypot," says Fortune. "You've got to be able to contain them and you've got to know if they've gotten out of the honeypot and into your network."

That's good advice, say analysts, since once a hacker realizes he's been duped by a honeypot, he's more apt to be angered and embarrassed enough to want to retaliate with a destructive attack on the real network.

Fortune and Scherr also note that once a hacker is in a honeypot, it's up to the administrator to make sure he can't use the honeypot as a jumping off point to attack another network. The company running the honeypot could be liable for any damage done to another network through their own network.

Ken VanWyk, director of technology in the technical risk management department at TechMark Global Solutions, says honeypots are based on a good concept but he hasn't yet recommended that a customer deploy one. He says he wants to see the honeypots more geared toward deceiving an attacker and he wants to see them optimized for running on internal networks, catching employees or contractors tampering with the system.

"Very few are using them now but I think we'll see an increase," says VanWyk. "The technology is maturing and somewhere along the line, someone will come up with a really useful honeypot that is feasible, manageable and cost-effective to deploy. They're still missing enterprise-level manageability."