Problem solve Get help with specific problems with your technologies, process and projects.

Honeypots can strengthen reconnaissance and lower intrusion noise

Ira discusses the value, feasibility and ethical/liability issues employing honeypots.

The concept of a honeypot is fairly simple: Put a supposedly vulnerable computer containing valuable information on your network or perimeter DMZ, then sit back and wait for hits on the system. Since there's no valid business purpose for access, the honeypot system will reliably indicate hacker attempts or suspect activity. Technically astute staffers, system maintenance and a sound policy defense are required investments, yet for some organizations honeypots provide a cost-effective, proactive security layer for sensitive information systems.

Honeypots entice intruders to focus on faux computer systems, while documenting an evidence trail. The systems replicate vulnerable servers and workstations. Depending upon the product and the amount of customization performed, a honeypot can appear to run susceptible applications and contain valuable intellectual property. The assumption is that the hackers will focus their efforts on the information and systems, and allow the security personnel to study their efforts.


The value of a honeypot placed behind a firewall, or in another protected network location, is its ability to filter out which attacks truly need investigating. Unauthorized access attempts, from within and outside an organization pound networked systems daily. In fact, individual IP addresses are scanned 3-5 times a day given the abundant broadband connections, widely available scanning tools and thousands of script kiddies. All this translates into an inordinate amount of intrusion noise. While intrusion-detection systems can identify suspect traffic patterns, they also create false positive alerts (and, even worse, false negatives). Where as, honeypots, while subject to false positives, incur bogus results less frequently (typically from mistyped IP addresses and system names or IT's use of network scanning tools for finding vulnerabilities).

More importantly, the suspect activity identified on a honeypot system can hone an organization's threat reconnaissance. It enables security pros to refine their searches for new attacks, and potentially assess the skill and intent of the attacker. A honeypot system acts as an early warning system -- it identifies an attack in progress, highlights the methods the attacker is using and reveals what the perpetrator is looking for.

From a technological perspective, honeypots have little downside. But there's more to consider than technology, such as the technical ability and available time of your administration and security staffs. Giving an overworked staff more tasks to do won't generally improve an organization's security. And, if the staff isn't technically competent to understand, implement, maintain and act on the information attained in using the honeypot system it will have minimal effect on improving security. However, it's a great tool for staffs that adequately maintain their own systems, and individual departments that work on highly sensitive information or maintain a large number of computer systems. In general, random departments within a company should leave honeypots to the corporate security staff.

There are potential legal arguments as well, which are sometimes used by intruders snagged by honeypots: Some argue that the honeypot was an "attractive nuisance" or its use amounts to entrapment. While such arguments could be ignored, they've been commonly raised as a defense. As long as your company has the appropriate computer usage policies for insiders, and the standard warnings for outsiders, you shouldn't have a problem.

For organizations with valuable intellectual property, knowledgeable security staff, and adequate time for maintaining faux systems and managing detected incidents, honeypots provide a strong value proposition.

About the author
Ira Winkler, CISSP, CISM has almost 20 years of experience in the intelligence and security fields, and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.

This was last published in January 2005

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.