How to Use Honeypots to Improve Your Network Security

August 25, 2008 – 5:46 AM

Traditionally, the area of information security has been purely defensive. Classic examples of the defensive mechanisms used in order to protect communication networks include firewalls, encryption and IDS (Intrusion Detection Systems). The strategy follows the classical security paradigm of “Protect, Detect and React.” In other words, try to protect the network as best as possible, detect any failures in that defense, and then react to those failures.

The problem with this approach is that the attacker has the initiative, always being one step ahead. For example, traditional, signature-based antivirus solutions have a hard time keeping up with the flood of new malware appearing each day (since the attackers can test new malware samples before releasing them into the wild). In the last few years, it has become more and more clear that these traditional, network-based defense techniques have severe limitations.

Thus, we need new techniques to improve network defenses. One promising approach is the use of honeypots, a closely-monitored computing resource which we want to have probed, attacked or compromised. More precisely, a honeypot is “an information system resource whose value lies in monitoring unauthorized or illicit use of that resource” – this definition coming from the honeypot mailing list at SecurityFocus at

The value of a honeypot

The value of a honeypot is weighed by the information that can be obtained from it. Monitoring the data that enters and leaves a honeypot lets us gather information that is not available to an IDS. For example, we can log the keystrokes of an interactive session even if encryption is used to protect the network traffic. To detect malicious behavior, IDS requires signatures of known attacks and often fails to detect compromises that were unknown at the time it was deployed.

On the other hand, honeypots can detect vulnerabilities that are not yet understood, so-called “zero-day attacks.” For example, we can detect compromises by observing network traffic leaving the honeypot, even if the means of the exploit has never been seen before.

Honeypots can run any operating system and any number of services. The configured services determine the vectors available to an adversary for compromising or probing the system. A so-called “high-interaction honeypot” provides a real system with which the attacker can interact. In contrast, a “low-interaction honeypot” simulates only some parts; for example, the low-interaction honeypot “Honeyd” simulates the network stack of arbitrary systems.


You must be logged in to post a comment.