Many virtual honeypots simulate services on well-known ports that would interest an intruder, such as SMTP or FTP. These honeypots go beyond the initial protocol handshake by having the emulated service respond to the intruder. An emulated service that returns only a mimicked banner reply is called a banner service. For example, an intruder's connection to TCP port 25 (SMTP) might return a simulated Exchange banner connection response. An emulated service that responds with minimum output in response to input is called a simple or standard service. For example, probes to FTP port 21 might prompt intruders for their logon name and password, which the honeypot records. If an intruder uses current or old logon information versus a random guess, the intruder might be an insider or might have successfully compromised the system in the past.
Simulated services, especially those trying to mimic IIS or FTP, often offer greater levels of emulation. Some virtual honeypots provide fake subdirectories, files, and responses. Other virtual honeypots allow service-port probes to be relayed to other computers hosting legitimate software but ensure the intruder is still attacking a nonproduction resource. Generally, the better the service emulation, the more interesting the target becomes to intruders. The longer the intruders stay around, the more information you can collect. However, most virtual honeypots are considered low-interaction, which means they don't offer sophisticated levels of emulation.
Selection and Evaluation Criteria
Numerous honeypots are available, so I had to narrow the field. To be included in this review, the honeypot had to run natively on Windows platforms and mimic multiple common Windows ports and services. I didn't consider honeypots that specialize in only one facet of defense (e.g., tarpits, antispam) or have minimal features because they tend to arrive and disappear in a few months and offer limited support.
Four honeypots—Honeyd-WIN32 0.5, KeyFocus's KFSensor, Network Security Software's (NETSEC's) SPECTER 7.0, and VMware (an EMC subsidiary) Workstation 4.0—met all the selection criteria. (Table 1 outlines other notable honeypots that can run in a Windows environment but didn't meet the other selection criteria.) To evaluate the four honeypots, I used the following evaluation criteria:
Windows emulation—Emulating a Windows host means offering remote procedure call (RPC) port 135 and NetBIOS ports 137, 138, 139, and 445 at a minimum as well as any other port or service that might be present on a typical Windows computer. For example, a fake Exchange server might offer additional ports 25 (SMTP), 110 (POP3), 113 (Network News Transfer Protocol—NNTP), and 143 (IMAP). An emulated IIS server might offer additional ports 20 and 21 (FTP), 25, 80 (HTTP), and 443 (HTTP Secure—HTTPS). A Windows 2000 Server system might offer additional ports 53 (DNS), 68 (DHCP), 88 (Kerberos), 1433 and 1434 (Microsoft SQL Server), and 3389 (Win2K Server Terminal Services). Honeypots should let users emulate the correct services on these ports. For example, an emulated Web server should return an IIS banner, not Apache, and an emulated SMTP server should return an Exchange banner, not sendmail. Historically, most honeypots have done a poor job of emulating the ports and services typically found in a Microsoft environment.
Ease of setup and use—Some honeypots can be installed quickly, whereas others take hours of customization. After you finish the setup process, you want a honeypot that's easy to use yet meets your needs. Items to consider include whether you want a GUI or text-based real-time monitoring interface, whether you need the ability to manage the honeypot remotely, whether the honeypot comes with emulated data or has a mechanism with which to add and update data, and how easily you can recover the honeypot after a compromise.
Data capture—All honeypots capture attack activity in real time, with varying levels of detail. The best honeypots capture everything the intruder does, including full network packet decodes, keystrokes, and system-manipulation activity. Other honeypots require you to add tools if you want to capture such detailed information. Another consideration is where the honeypot stores captured data. Does the honeypot write data to only a local text-based log file, or can the honeypot write data to an external database?
Alerts and reports—No honeypot is complete without offering a way to alert administrators in real time to unauthorized activity. Honeypots offer a range of alert mechanisms, including broadcast messages, email, and Short Message Service (SMS). Another consideration is the types of reports the honeypot offers.
Apple CEO Steve Jobs made the right move in skipping out on his company's last appearance at Macworld: In a Tuesday keynote address at the conference, Apple had no interesting new products to sell, opting instead to spend mind-numbing amounts of time on ...
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Microsoft Learning Snack - Virtualization Basics With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.
Empower Your Processes with PowerShell 201 Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!
Microsoft Learning Snack - Green IT Through Virtualization Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.
New Release: Windows IT Pro Master CD 13 years of content archives, fast answers with advanced search tools, and full access to WindowsITPro.com—order today!
Register
