Page II: You can avoid information overload from firewall and intrusion detection system reports by running a honeypot on your network. However, there are potential risks that a real honeypot poses to overall security.
Virtual disadvantages
There are two main drawbacks to virtual honeypot systems. First, they'll fool only the less sophisticated hackers. Remember that virtual honeypots don't have an underlying operating system (aside from perhaps a very limited embedded version of Windows or Linux). Because of this, many of the commands that a more experienced hacker might issue simply won't work. This instant tip-off tells hackers that they're accessing a honeypot rather than an actual server.
The other limitation to virtual honeypots is in the type of information the honeypot is capable of logging. For example, if a virtual honeypot is posing as an FTP server, it will obviously capture FTP-related information. It will probably also capture port probes and other common types of attacks. What happens, though, when an attacker tries to send encrypted traffic through an obscure IPv6 port? Chances are that a virtual honeypot will not have anticipated such a move from the hacker and will not know how to log it. To put it simply, virtual honeypots are good at detecting known types of attacks, but they do not fare very well in catching newly devised attacks.
Real honeypot advantages
A real honeypot, on the other hand, is one or more real systems that have been set up as bait systems. Because a real honeypot is a real system with a real operating system, it will respond to hacker requests in the same way a production network would. This has its good and bad points. On the upside, it's almost impossible for hackers to realise that they're accessing a honeypot and not a production network. In fact, about the only thing that could give it away would be if the honeypot network were not updated on a regular basis.
Where a real honeypot really shines is in detection. Remember that any traffic destined for the honeypot is assumed to be malicious. Therefore, it doesn't matter at all what type of attack a hacker might be using; a real honeypot should be able to detect it.
Real honeypot disadvantages
The downside to a real honeypot is that a hacker could potentially take control of a honeypot server and use it as a place from which to attack your production servers. To block this attack, you'll want to set up a firewall between your honeypot network and your production network that blocks all traffic between the two. Some of the more sophisticated Linux honeypots have mechanisms in place to prevent hackers from accessing production machines, but Windows honeypots don't have such a feature at this time.
The winner is typically real
In many environments, a real honeypot is far superior to a virtual honeypot. However, before you go out and invest in a real honeypot, you need to consider the costs. You'll need a machine to run it on and software licences for the operating system and any applications that might be running on the honeypot. Finally, you must decide if you're willing to accept the potential risks that a real honeypot poses to overall security.
1%
8%
