The Value of a Honeynet
Traditionally, information security has been purely defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one's resources. The strategy is to defend one's organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this purely defensive approach is that the enemy is offensive and on the attack. Honeynets attempt to change this approach to security by giving organizations the ability to be proactive and take the initiative. The primary purpose of a Honeynet is to gather information about threats that exist. New tools can be discovered, worms can be captured and analyzed before they do extensive damage and attack patterns can be determined. Captured information can also be used as an early warning system, alerting users of attacks before they happen.
Honeynets can also provide an organization with valuable information on its own security risks and vulnerabilities. Honeynets can consist of the same systems and applications that an organization is using for its production environment. Risks and vulnerabilities that exist in a Honeynet (which is far more closely monitored and analyzed) identify risks and vulnerabilities in an organization's production environment. For example, a company may want to implement a new web server interface for credit card use. Both the system and application can first be tested in a Honeynet environment to identify any unknown risks or vulnerabilities.
Additionally, a Honeynet can help an organization develop its Incident Response capabilities. It can vastly improve an organization’s ability to detect, react to, recover from and analyze systems that have been compromised. The advantage of analyzing these compromised systems is that, since most of the answers already exist, these systems can be viewed as a 'challenge', allowing organizations to test their abilities to determine what happened using various forensic techniques. These results can be compared to the data captured from within the Honeynet. This information can also be used to determine if any other systems within an organization’s production network have been compromised.