A recent technique of fighting network attackers consists of stretching three types of strategies:
1. Baits: creating a unique user account with a simple password (user: guest, password: guest); any attacker who connects to this account is closely monitored.
2. Traps: Install and configure an operating system with the most common security flaws and vulnerabilities, easy to find, to catch intruders.
3. Honeypot (honey jar).
A Honeypot system has the role of attracting and trapping those attackers (hackers, crackers, script kiddies, etc.) who are trying to penetrate networks and computing systems through scans, surveys, and intrusions. It is a soft and/or passive hard drive that has the role of being probed, scanned, attacked, compromised.
The purposes of implementing a Honeypot System in a network are as follows:
1. Distracting attackers from attacking much more valuable network resources.
2. Anticipated warning on scans, intrusion attempts and new attacks.
3. Deep exploration of an attacker’s activities during and after Honeypot operation.
4. Define the attacker’s profile and determine the techniques used by the attacker.
5. Using lessons to fill in real network security breaches.
6. Check the efficiency of the project and network security policy.
We recommend installing Honeypot systems so that:
a. Be sufficiently protected to be attractive to attackers.
b. They are not strongly fortified to allow different types of attacks on them, and not on other network resources.
c. Be installed in DMZ (Demilitarisation Zone) areas of networks and not appear in DNS and/or WINS records.
d. Using firewalls, create a set of rules around the SH that allow all incoming traffic from the Internet to SH, but only allow FTP, ICMP, and DNS output traffic;
e. They are not part of the productive part of the network and installed on single systems to protect the rest of the network.
Based on the fundamental function, Honeypot Systems (SH) are classified as follows:
1. Monitor: SH listens to ports (target targets by attackers), responds to port scans and allows attackers to connect and open sessions;
2. Emulator: interacts with the attacker as a system would actually do; for example: through a limited set of features, SH simulates an email server and responds to all service ports, including TCP110 (POP3)
3. Simulator: SH simultaneously simulates various operating systems and/or more attacked systems (Linux Red Hat, Solaris, Microsoft IIS)
4. Detector: Using a SH coupled with an IDS, as shown at.
Benefits of Honeypot Systems:
1. Flexibility: They can take different forms (emulated network service, database, server of different types, just an operating system component, a simple daemon-honeyd).
2. Low information: collects data only when interacting with unauthorized activities.
3. Do not interact with ordinary users.
4. Generates relatively few false alarms.
By applying the Honeypot technique, a new layer of computer network security is provided. It is recommended to implement Honeypot systems in conjunction with other known security techniques, such as firewalls and proxy systems. Honeypot, Honeyd, and Honeynet systems are viable security techniques, but they are not a universal panacea for network security issues. They constitute only an extra layer to ensure the security of computer networks.