Honeynet Care, Feeding and Risk
Honeynets are not a "fire and forget" solution- they are a complex type of honeypot that requires constant maintenance, administration and vigilance. For maximum effectiveness, administrators need to detect and react to incidents as soon as possible. By watching blackhat activities in real-time, one can maximize Data Capture and analysis capabilities. Also, to detect the unknown, suspicious activity must constantly be reviewed. This requires extensive time and analysis capabilities. For example, in just 30 minutes a blackhat can do enough damage to a compromised honeypot to require 30-40 hours in order to fully understand what happened.
Constant maintenance is also required to ensure operability of a Honeynet. If something goes wrong - which is definitely not uncommon - the Honeynet Your alert processes may fail, disks can fill, IDS signatures can become outdated, configuration files can become corrupted, system logs will need to be reviewed and firewalls will need to be updated and patched. This represents just a small portion of the constant care and feeding that is required for a Honeynet to be successful. Your work has only begun when you implement a Honeynet!
Virtual Honeynets eliminate some of the headaches associated with deploying and maintaining a Honeynet by combining all the elements of a Honeynet onto one physical system. Not only are all three requirements of Data Control, Data Capture, and Data Collection met, but the actual honeypots themselves run on the single system. The honeypots are actual operating systems. Nothing is emulated. The advantage here is one of both cost and efficiency. It is much cheaper to use a single system to run all the elements of a Honeynet, and it is much easier to deploy and maintain.
Also, there are risks involved with building and implementing a Honeynet that must be considered. Before deploying a Honeynet, it is important to understand and acknowledge that blackhats will be attacking and compromising these systems. By setting up a network to be compromised, administrators expose both themselves and others to risk. They assume a responsibility to ensure that the Honeynet, once compromised, cannot be used to attack or harm other systems. However, with an Honeynet environment, there is always the potential for something to go wrong. There are a variety of measures that can be implemented to mitigate this risk; however, it is quite possible for a blackhat to develop a method or tool that allows them to bypass these access control methods. Also, one needs to be constantly testing and updating the environment to ensure control measures are working effectively. Never underestimate the creative power of the blackhat community! The use of a firewall, routers and other techniques can help mitigate the risk of a Honeynet being used to damage other systems. However, there is risk associated with any Honeynet regardless.
Finally, Honeynets should not be viewed as a solution for all of an organization’s security problems. LinuxSecurity Founder Dave Wreski cautions: “Organizations should focus on best practices first, such as strong authentication, use of encrypted protocols, reviewing system logs and secure system builds. By prioritizing proper policies and procedures, risk can be greatly reduced. Honeynets do not reduce risk - they most likely increase it. Honeynets are designed to gather information on the enemy - they will not fix unsecured servers, nor will they fix bad processes or procedures.”