A Sweet Technique for Spotting Attacks

(Sidebar to "Network Security Comes Under Spotlight" from the February 2008 issue of Industrial Ethernet Review)

Aw 3961 Ier Honey


When factory networks are connected to the outside world, it can be difficult to know that a virus or intruder has gotten beyond firewalls and other protective technologies. One way to find out if and when intruders are probing a network is to employ a honeypot.

These isolated computers sit unprotected and idle on a network, providing an easy target for intruders. Honeypots serve no function other than to monitor suspect activity, so any time they’re accessed, it’s from an unauthorized source.

Setting up a honeypot requires only an inexpensive Windows personal computer (PC). Set-up and monitoring are the key aspects of getting a honeypot working. In a factory floor network, these PCs should be set up to look like a typical node.

“In manufacturing, you have to mimic a production machine. The principle is always the same—fake the environment and provide a decoy. If someone attacks, you will know about it, and have some knowledge about the level of the attack,” says Thorsten Holz, a German Ph.D. student who wrote the book “Virtual Honeypots: From Botnet Tracking to Intrusion Detection.”

When it’s probed, the PC should respond like a typical machine. That helps assure that intruders won’t realize that it’s a decoy set up to alert operators that incursions are occurring. Ease of use is a key benefit of the technology. “With just a normal Windows system emulating your TCP/IP stack, you can collect statistical information with very little maintenance,” Holz says.

Others agree that the technique can provide valuable information. “Honeypots and honeynets are fantastic tools for people who are security aware and can make them part of their approach. Seeing how people are attacking things lets you see how trends are changing, how people attack different ports,” says Bryan Singer, Vice President of Professional Services at Wurldtech Security Technologies Inc., in Vancouver, British Columbia, Canada.

However, he notes that users shouldn’t derive a false sense of security. “They have a finite domain of relevance. Intrusion detection doesn’t prevent anything, it just counts the number of times someone may have tried to get in,” Singer says.

There’s no disagreement on that caveat from Holz, who also runs an Internet honeyblog that discusses viruses, intrusions and other related issues. Though honeypots will sound the alarm when a system might be under attack, that’s pretty much where their roles end. “You still need to know what to do to protect yourself,” Holz says.

Though their roles are fairly limited, many observers feel that honeypots can play a key role as part of a security strategy. “It’s a simple, cost-effective thing to do, though you do need someone to monitor the machine who knows how to react when something is detected. We recommend them for people concerned about finding activity that shouldn’t be there,” Staggs says.

 

To see the main story this sidebar was taken from - "Network Security Comes Under Spotlight" - please visit http://www.automationworld.com/view-3915

More in Home