How Honeynets Work
Conceptually, Honeynets are a simple mechanism. In many ways, a honeynet is similar to a fishbowl - researchers and security professionals can see everything that happens inside it and watch for and monitor attackers in the network. Also, just like a fishbowl, there are many options for adding to and altering a Honeynet.
Traditionally, the greatest problem security professionals face in detecting and capturing blackhat activity is information overload. The challenge for most organizations is determining from vast amounts of information what is production traffic and what is malicious activity. Tools and techniques such as Intrusion Detection Systems, host based forensics, or system log analysis attempt to solve this problem by using a database of known signatures or algorithms to determine what is production traffic and what is malicious activity. However, information overload, data pollution, unknown activity, false positives and false negatives can make analyzing and evaluating activity extremely difficult.
Like all honeypots, the Honeynet solves this problem of data overload through simplicity. A Honeynet is a network designed to be compromised, not to be used for production traffic. Thus, any traffic entering or leaving the network is suspicious by definition. Any connection initiated from outside the Honeynet into the network is most likely some type of probe, attack or other type of malicious activity. Any connection initiated from the Honeynet to an outside network indicates that a system was compromised - an attacker has initiated a connection from his newly hacked computer and is now going out to the Internet. This concept greatly simplifies data capture and analysis.
There are two critical requirements that define every Honeynet: Data Control and Data Capture. If there is a failure in either requirement, then there is a failure within the Honeynet. Honeynets are extremely flexible tools; they can be built and deployed in a variety of different ways. As a result, almost no two Honeynets look the same; however, they must all meet the requirements of Data Control and Data Capture.
Data Control is what mitigates risk. It controls the attacker's activity by limiting what can happen both inbound and outbound. The risk is that once an attacker compromises a system within the Honeynet, they can then use that system to attack other non-Honeynet systems, such as organizations on the Internet. The attacker must be controlled so they cannot compromise non-Honeynet systems.
Data Capture collects all the activity that happens inbound, outbound, or within the Honeynet. It provides valuable insight by capturing attackers’ activities. The trick is to both control and capture attackers’ activity, without them realizing that they are within a Honeynet.
There is a third requirement, Data Collection; however, this is only for organizations that have multiple Honeynets in distributed environments. Many organizations will have only one Honeynet, so all they need to do is control and capture data. However, organizations that have multiple Honeynets logically or physically distributed around the world have to collect all of the captured data and store it in a central location. By doing this, the captured data can be combined, exponentially increasing its value. The Data Collection requirement provides the secure means of centrally collecting all of the captured information from distributed Honeynets.