in Yesterday's tutorial, Marcus Ranum presented the latest data on the cracker population, as gathered by the honeynet group, and, while talking way too fast for a presentation, made a good case for honeypots as tools for intrusion detection.
Marcus defines a honeypot as "a security resource whose value lies in being probed, attacked, or compromised".
He further distinguishes between production honeypots, which are "low interaction" systems - giving the attacker access to limited resources thru some sort of emulation - designed to secure an organization, and research honeypots, which are "high interaction" systems - basically giving the attacker control of a whole server - targeted at counter intelligence and gaining information on the so called "black hat" community.
Production honeypots are getting easy to set up, thanks to a new breed of tools. I learned about honeyd during the tutorial, it compiles on most flavours of BSD, GNU/Linux and Solaris, and emulates dozens of systems, including several variations of Windows.
The nice thing about a honeypot is nobody is supposed to access it as long as it's not advertised. Therefore, any traffic directed at the honeypot is probably suspect. Any traffic coming out of the honeypot is definitely suspect and should trigger an alarm.
Therefore, an honeypot, coupled with a station running a network sniffer such as snort, fits nicely as a network-wide intrusion detection system.
Macro error: Can't call the script because the name "liveTopicsSuite" hasn't been defined.]
[Macro error: Can't call the script because the name "liveTopicsSuite" hasn't been defined.]