One of the best sources of honeypot information is the Honey Project, led by Lance Spitzner. I'm an alum of that project, and I had a great deal of fun taking part in it. Over the years, I also learned a lot by reading the great research papers at www.honeynet.org.
A honeypot, by definition, is typically a computer that has no actual production use, other than to act as fly paper for attackers. Designed to look unprotected and inviting, its purpose is to lure in malicious hackers to either isolate them or simply learn about their methods. There are a number of variations on the theme beyond full-blown end systems. Honeypot accounts -- that have no production use -- can detect password-guessing attacks; honey tokens, which may include cookies, files, and other data elements, can also be used to track malicious hackers.
Regardless of the honeypot being used, you have to be careful about its compromise and misuse. If a bad guy takes over a honeypot machine and starts using it as a launch point to attack other systems, or worse yet, other enterprises, you have a serious problem. Not only could that spell severe consequences for your career advancement, but you could also be held liable for damages resulting from the honeypot misuse.
Thus, make sure you limit any honeypot's ability to interact with other network systems. The honeypot can be firewalled off, or its connections can be limited by a network-based IPS tool. Monitor your honeypot carefully, using host-based IDS and IPS products. When the detection and prevention systems recognize an attacker, respond quickly before the hacker can cause damage elsewhere in your environment.
Finally, it's important to talk with your lawyers about any legal issues that may arise from enterprise honeypot monitoring and deployment.
This was first published in January 2008