What are the disadvantages of a honeypot?
Honeypots also have their disadvantages. This is why they do not replace any existing technologies. Instead they work with and compliment your existing infrastructure. Below is just a highlight of two issues. To learn more about the problems with honeypots, review the paper Problems and Challenges with Honeypots.

• Limited View: Honeypots only see activity that interacts with them. They do not see nor capture any attacks directed against existing systems.
• Risk: Anytime you add another resource with an IP stack, you introduce risk. While different honeypots have different levels of risk, this is always an issues you must address.

What are the different types off honeypots?
In general, there are two different types, low-interaction and high-interaction. Level of interaction measures how much activity, or interaction, an attacker can have with a honeypot. Low interaction honeypots limit the level of interaction by emulating services. The interaction an attacker has with the honeypot is limited by how advance the emulation of the service is. An example of a low interaction honeypot is Honeyd. In contrast, high interaction honeypots do not emulate services, instead they provide real applications for attackers to interact with. An example of a high interaction honeypot is Honeynets. Neither is better then the other. Low interaction is simpler to deploy and has less risk (as the attacker can do less), but you can not learn as much. With a high level of interaction you can learn a great deal, as the attacker has a real operating system and applications to interact with. However, this comes at a cost, as the more interaction you provide, the more complex and greater risk you have.

Which one is best?
There really is no single best honeypot. Low and High interaction honeypots have their advantages and disadvantages. In general, if you just want to use honeypots as detection devices or burglar alarms, low-interaction may be what you want. If you are looking to gather extensive information on threats, you may want to first consider high-interaction solutions.

I've never worked with honeypots, where should I start?
If you are new to the world of honeypots and want to learn what they are all about BackOfficer Friendly is the easiest place to start. This is an extremely simple and basic honeypot that can run on any Windows systems. Its very limited in its capabilities, but its excellent for demonstrating honeypot concepts (and its FREE!). For more advance users who prefer Unix, Honeyd is an OpenSource solution for Unix.

What are the legal issues of honeypots?
As a new technology, people often ask what are the legal issues of honeypots. While honeypots are not specifically addressed in federal statutes or regulation, the following issues can be seen as a starting point. For specific information, refer to the paper Honeypots: Are They Illegal?. Last, be sure to review with your own legal counsel.

• Liability: You can potentially be held liable if your honeypot is used to attack or harm other systems or organizations. This risk is the greatest with high-interaction honeypots.
• Privacy: Honeypots can capture extensive amounts of information about attackers, which can potentially violate their privacy, such as IRC chats or emails. This could violate the privacy of the attacker, or more likely people he is communicating with. Once again, this risk is primarily with high-interaction honeypots.
• Entrapment: For some odd reason, many people are concerned with the issue of entrapment. Entrapment is a legal defense used to avoid a conviction, you cannot be charged with entrapment. Most legal experts believe that entrapment is not an issue for honeypots.

Where can I learn more about honeypots?
One of the best ways to learn about honeypots is from the security community. Its highly recommended you join the Honeypot mailing list to ask questions and learn about honeypot technologies. Also, its high recommended your first read a series of honeypot whitepapers published by the security community.

Where can I learn more about Honeyd?
Honeyd is one of the most powerful, and most likely the most commonly used OpenSource honeypot. You can learn more at Honeyd Homepage. You can also check out the Honeyd FAQ.

What are Honeynets?
Honeynets are one type of honeypot, specifically they are a high-interaction honeypot. Honeynets are entire networks or real systems designed to be compromised. You can learn more about honeynets at the Know Your Enemy: Honeynets.

What is GenI or GenII mean?
There are currently two different types of Honeynets, GenI or GenII. These are acronyms for 1st Generation or 2nd Generation technologies. GenI (or 1st Generation) Honeynets use basic technologies to capture and control attacker activity. Mainly a layer three firewall that counts outbound connections. A GenII (or 2nd Generation) Honeynet is more advance technologies, specifically a layer two bridge that can not only count connections, but block or modify outbound attacks. It also uses more advance tools for capturing attackers keystrokes. You can learn more about GenI and GenII at Know Your Enemy: Honeynets.

What is a Honeywall?
A Honeywall is the honeynet gateway used to implement data control and data capture. Normally it operates as a layer two bridgeg between the honeypots in your honeynet, and your production network. This is one of the most critical elements of a honeynet. You can learn more about the Honeywall in the paper Know Your Enemy: GenII.

What are virtual honeynets?
Virtual honeynets are one type of honeynet, specifically honeynets that run multiple operating systems on the same physical computer. This is done using virtualization software such as VMware or User-Mode Linux. You can learn more about virtual honeynets, the different types, and how to deploy them, at Know Your Enemy: Virtual Honeynets.

What are Honeytokens?
Honeytokens is a term first published by Augusto Paes de Barros. While the concept is not new, the term is. A Honeytoken is a resource, such as a Word document, Excel spreadsheet, or some other type of data, that has no production value or authorized activity. If someone attempts to access or retrieve this data, they are committing an unauthorized act (intentionally or unintentionally). One example of their use would be to have IDS sensors configured to look for someone accessing or transferring a Honeytoken. To learn more about Honeytokens, refer to the paper Honeytokens: The Other Honeypot.

Can honeypots monitor unused IP space?
Most definitely. We mentioned that one of the disadvantages of honeypots is that they capture traffic only interacting directly to them. To increase the odds of that happening, some honeypots work by monitoring all of your unused IP space. If anyone (or anything) attempts to interact with an IP address that does not have a computer assigned to it, some honeypots can dynamically take over that IP address, assume the identity of the victim, and then interact with the attacker. Two such examples are LaBrea Tarpit and Honeyd. Both work on the concept of ARP spoofing.

Data Control: How can I control what the bad guy is doing?
A critical element to most honeypots, especially Honeynets, is data control, the ability to contain the activity of a bad guy. The purpose of data control is to allow the attacker to gain access and control a honeypot, but not allow them to go back outbound and harm any non-honeypot systems. Some honeypots, mainly low interaction honeypots, do not require data control, as the honeypots do not allow attackers full access to the operating system. High interaction honeypots do require data control. Examples of data control would be a firewall allowing attackers inbound access to the honeypots (so they could attack them) but the same firewall would then block all outbound attacks from the honeypot. You can learn more about different data control solutions at the Honeynet Tools Page.

Data Capture: How can I capture what the bad guy is doing?
A critical element to any honeypot is data capture, the ability to log, alert, and capture everything the bad guy is doing. Most honeypot solutions, such as Honeyd or Specter, have their own logging and alerting capabilities. However, you may want additional data capturing mechanisms to enhance the capabilities of these honeypots. Also, some solutions require you to deploy you own data capture capabilities, for example solutions such as Honeynets. I highly recommend you deploy Snort with any honeypot deployment. Snort is an OpenSource IDS system that will not only detect and alert any attacks against your honeypot, but it can capture the packets and packet payloads involved in the attack. This information can prove critical in analyzing the attackers activities. If you require more advance data capture capabilities (such as with SSH sessions), I recommend you check out the Honeynet Tools Page for a complete listing of different tools used to capture what the bad guys are doing.

Where can I learn more about Dynamic Honeypots?
Dynamic Honeypots are the concept where a honeypot application passively learns your network, then dynamically creates virtual honeypots that mirror and populate your network. The concept was first discussed in the paper Dynamic Honeypots. Concept code has also been developed to demonstrate this.

How do I redirect all hostile traffic headed towards my production environment towards a honeypot?
Well, Bait and Switch is the answer for it. It works on the principle of redirecting all hostile traffic towards a honeypot that is to an extent mirroring the production systems. The difference is that the honeypots do not have actual sensitive information; but the attacker ends up trying to attack the honeypots. In addition to the fact that your production environment is safe you also get to learn about the attacker. The system is based on snort, linux iproute2, netfilter and custom code.

What is Honeyd? Why does everyone talk about it?
Honeyd is a very powerful and flexible OpenSource honeypot developed and maintained by Niels Provos. As this is an OpenSource solution, its free to use and easy to customize. Often developers will try out new honeypot features using Honeyd, such as dynamic honeypots or tarpitting. In many ways, Honeyd is not a honeypot, but a honeypot toolkit, allowing you to build and customize the solution you want. The reason many people discuss or use Honeyd is because it is arguably one of the most powerful low-interaction OpenSource honeypots.

Is there a Honeyd FAQ?
Yup. If you have a problem with Honeyd, its HIGHLY recommended you start with the Honeyd FAQ first.