That’s more or less Lance Spitzner’s message to the blackhats—vile hackers who probe computer networks and systems. He lures blackhats to hack into his systems and unlike the spider, he does not ambush them. Instead, like an ardent Discovery channel viewer, who, without batting an eyelid, watches a gazelle being slaughtered by a carnivore—he observes every move that the hacker makes. That’s because the system, which the blackhat is hacking into, is a dud—a system of no real worth—popularly known as a honeypot.

"Will you walk into my parlor?" said the spider to the fly; "’Tis the prettiest little parlor that ever you may spy. The way into my parlor is up a winding stair, And I have many curious things to show when you are there." The Spider and The Fly, Mary Howitt (1799-1888)

Of honey, pots & nets
A honeypot is a system whose value lies in it being probed, attacked, or compromised, usually for the purpose of detection or alerting of blackhat activity. Where traditional security tools like firewalls and Intrusion Detection Systems (IDS) are designed to ward off blackhats and limit the damage caused by them, a honeypot aims at getting a hacker to attack and compromise a
system. Typically, honeypots have been systems that emulate other systems or known vulnerabilities. Now, why on earth would anyone want to do that? To watch, says Spitzner, and to learn. A former tank officer with the US Army turned security expert on the net, Sptizner says the main utility of Honeypots lies in their ability to offer significant insights of hacker behavior.

These kinds of insights can be used to create strategies and tools to combat security threats. Based on what Spitzner has learned from such voyeurism for instance, he has been able to armor common operating systems like Linux and Solaris against most hacker attacks. Sometimes, when black hats look like they’re on the verge of launching a major attack (see box), Spitzner uses the information to warn off either the hackers themselves, or to signal to relevant security authorities.

The honeypot, however, has a couple of drawbacks. The trap is sometimes too obvious and therefore easily detectable by a veteran blackhat who then leaves in a hurry. In the circumstances, watchers can’t get as much data on hacker behavior as they would like to. So the watchers are trying to evolve almost as fast as the hackers. Lance, along with several other security professionals, has evolved a complex version of the honeypot called the honeynet. "It is different from a traditional honeypot.

One, it is not a single system but a network of multiple systems which sits behind an access control device where all inbound and outbound data is controlled and captured," says Spitzner.

The other main difference is that unlike traditional honeypots that emulate weaknesses and even the system or operating systems, all systems placed within the honeynet are real standard production systems. "In a honeynet, all the systems and applications are real. Nothing is emulated nor is anything done to make the systems less secure," adds Spitzner.

How honeynets work
The greatest problem any security professional faces is information overload. The challenge for most is determining from extensive amounts of information what is standard production traffic and what is blackhat activity. Tools and techniques, host-based forensics, or system log analysis try to solve this by using a database of known signatures or algorithms to differentiate between production traffic and malicious activity.

But the amount of data generated, data pollution and false positives and false negatives make such analysis exceedingly painful.

A false positive occurs when the IDS falsely generates an alarm from normal user activity like production traffic. False negatives occur when network is attacked, and the IDS fails to alarm even though it is supposed to do so. Like all honeypots, the honeynet solves this problem of data overload by default. "A honeynet is a network designed to be compromised, not to be used for production traffic. By definition, any traffic entering or leaving the network is suspicious. Any connection initiated from the honeynet to an outside network indicates that a bad guy is prowling around," says Spitzner.

Should I get some honey?
Despite being the driving force behind the honeynet project, Lance is not quick to recommend honeynets for most organizations.

"I wouldn’t recommend deploying honeynets for commercial organizations. It really does not protect their resources. On the other hand, it may consume a lot of their resources. However, some of the lower interaction honeypots are very secure and help in intrusion detection and organizations could benefit from them," says Spitzner.

However, Honeynets are better deployed in "information sensitive" organizations like the government, military and research institutes like universities, which can afford to invest in the resources. For instance, the United States government deploys a honeynet to monitor any malicious attacks on its sites. Among other things they warn off site administrators whose sites are likely to be attacked and they often work with the FBI to deal with any legal issues arising out of the surveillance.

In conclusion
Honeypots, including honeynets, are at the moment fringe technology as far as the security industry is concerned. Awareness is not very high, the value of commercially deploying them is not very clear, and they are expensive—requiring among other things round-the-clock monitoring and maintenance.

"We are right now where firewalls where 8-9 years ago. But as they gain acceptance, people should not forget that Honeypots and Honeynets will do very little to keep out the bad guys. That will have to be taken care of by procedures like virus scanning, installing patches, and disabling unnecessary services—the boring stuff. Honeypots are at best complementary to Firewalls and IDS’. I hope people and organizations keep this in mind," says Spitzner.

Whether honeypots will ever be mainstream security technology is something only time will tell. But the idea of tracking hackers will continue to excite many in this world where hats and morality are in two distinct colors—black and white.

TV Mahalingam