One of the more interesting systems you will encounter is a honeypot. A honeypot may sound like something out of a Winnie the Pooh book, but it is actually a device or system used to attract and trap attackers who are trying to gain access to a system. However, honeypots are far from being just a booby trap; they have also been used as research
tools, as decoys, and just to gain information. They are not designed to address any specific security problem. Honeypots don’t fit into any neat classification or category. Honeypots can fulfil a number of different purposes or roles for an organization, but most agree that a honeypot provides value from being used by unauthorized parties or through illicit use. Honeypots are designed to be misused and abused and in that role they stand alone.
In practice the system can appear as any of the following:
- A dedicated server
- A simulated system of some type
- A service on a host designed to look legitimate
- A virtual server
- A single file
In all these examples the honeypot is configured to look like a real item within the environment, but it is anything but that. While a honeypot looks like a real resource and may behave that way, it is never intended to be used for any legitimate purpose. If a honeypot has any sort of actions in progress on it, then they are more than likely due to some sort of unauthorized or accidental use that may even be malicious. In some circles a honeypot is viewed as a decoy device, but this is also not entirely correct and can be confusing. It is not unheard of for a honeypot to be described as something you put in your DMZ with the goal of having someone break into it. In terms of research this would be a valid and true statement to make, but it doesn’t hold up upon closer inspection. The last thing you want as the owner of a network or the person in charge of security is for someone to break into your environment, as would be the case of a decoy in the DMZ. Since a DMZ would host systems like web servers, email gateways, or other services, you would not want to draw an attacker’s attention in any way to these items.