Beat security thieves at their own game! Trap network intruders by simulating traffic on an isolated system.
Catching a skilled intruder in the act can be a tricky business. Indeed, much of network security is essentially a sophisticated game of hide and seek, in which attackers camouflage themselves among legitimate traffic and doctor system logs to avoid detection. Even after discovering a security breach, administrators often find it difficult or impossible to determine the extent of the compromise or how it was accomplished.
Honeypots as bait
One trick favored by hunters since prehistoric times still proves useful in the world of digital networks: bait. Security specialists often construct systems that appear vulnerable to attack, but actually offer no access to valuable data, administrative controls, or other computers. These machines, known as "honeypots," are intended to be attacked, and have no legitimate users or traffic, leaving a foiled intruder exposed and relatively easy to monitor. Placed strategically within a LAN or alone on a dedicated Internet connection, honeypots can lure attackers away from valuable network hosts, collect data for research or legal action, and alert administrators of attacks in progress.
Several commercial vendors offer high-powered honeypot packages which can simulate entire network segments on a single machine. Applications, such as PGP Security's CyberCop Sting and Recourse Technologies Manhunt, typically require a dedicated host with substantial processing power and available memory. They can provide an elaborate environment to keep intruders very busy.
A number of developers and security enthusiasts also offer cheap or free tools which simulate vulnerable server software, such as Fred Cohen's Deception Toolkit and NFR Security Inc.'s BackOfficer Friendly. These applications listen for inbound traffic on TCP ports used by common servers (FTP, telnet, HTTP, Back Orifice, etc.) and use scripted responses approximating those expected from a standard server. These fake responses are relatively easy to spot, but the systems themselves require few resources and can still provide valuable data before an attacker is warned off.
