This chapter discusses the basic aspects of Honeypots, how they are implemented in modern computer networks, as well as their practical uses and implementation in educational environments, providing the reader with the most important points regarding the main characteristics of Honeypots and Honeynets. Honeypots are defined as “closely monitored network decoys” that can be set by network administrators to deal with a wide variety of attacks and interact with users in different levels (Provos, 2004). The implementation of Honeypots provides an answer to a common question posted by the field of information security and forensics: How to dissect the elements that make up an attack against a computer system. The chapter will summarizes the different features and capabilities of Honeypots once they are set up in a production environment to clarify the elements that are needed to be configured in order for a Honeypot to accomplish its main tasks and in order for it to be considered an effective tool. The end of the chapter will shift towards the analysis of virtualization as an important tool that maximizes the practical use of Honeypots in controlled environments that are focused towards the study of attacks, responses and analysis methods.
Honeypots are a somewhat new technology that posses an enormous potential for the information technology community. The first references to Honeypots were discussed by some notable icons in the Information Security community, such as those defined by Cliff Stoll (2002) and Bill Cheswick (1997), particularly in the work of the latter that included his experiences tracking down attackers on AT&T’s networks and information resources. Ever since, those concepts have been in a process of evolution, changing in a way that has allowed them to become a potent security tool (Riebach, Rathgeb & Tödtmann, 2005). Bill Cheswick’s work guides users into the field of intrusion detection systems, offering a solid foundation for people looking to understand the basics of Honeypots. In a more strict sense, a Honeypot possesses the features of both an intrusion detection system (it contains mechanisms that can detect properly when a systems intrusion takes place, as long as the Honeypot is set up to detect and repel such intrusion in real time) and a cyber-forensics study aid (providing users with detailed reports that depict the nature of attacks, including the intruder’s activities that took place inside a breached computer system) (Schneier, 2000). Even though a Honeypot may display the characteristic form of an intrusion detection system, it should not be regarded as one per se because its main purpose is to act simply as a potential target (albeit its ever-present complexity in terms of configuration and place inside a network) for an equally potential rogue user, opposite to being an integral system with a centralized reporting console and agents that run remotely, reporting suspicious activity in real-time (Dalton, King & Osmanoglu, 2001). Even still, both Honeypots and intrusion detection systems share elements in common, such as reporting capabilities (logs and reports), network placement, monitored events and activity alerts. Because of these features, it can also be stated that Honeypots are proactive security tools; they record information that is valuable to properly configure security countermeasures inside a network even before attacks take place and to analyze the network in order to prevent future attacks. They can also be reactive security tools; Honeypots can trigger services that gather information or disguise themselves as a target while the attacker breaches and/or damages the system.