Frequently Asked Questions

This page answers some of the most frequently asked questions concerning the Honeynet Project

What is the difference between a honeypot and a Honeynet?

Aren't honeypots trivial to detect?

What do you do to attract blackhats to your Honeynet?

Just how hostile is the blackhat community?

Once compromised, can't the bad guys use one of your honeypots to attack someone else?

Do you prosecute the people that compromise systems within the Honeynet?

Aren't honeypots a form of entrapment?

Do you have a maillist I can join?

How can I join or become involved with the group?

Can someone from the Honeynet Project speak to our organization?

How do I get started in the security field?

1. What is the difference between a honeypot and a Honeynet?
A honeypot is a system designed to be compromised, usually for the purpose of deception or alerting of blackhat activity. Traditionally honeypots have been systems that emulate other systems or known vulnerabilities. A Honeynet is different, it is a tool for learning. Its two biggest design differences are follows:

A Honeynet is not a single system but a network. This network sits behind a firewall where all inbound and outbound data is contained, captured and controlled. This captured information is then analyzed to learn the tools, tactcis, and motives of the blackhat community. Within this Honeynet can be placed any type of system to be used as a honeypot, such as Solaris, Linux, Windows NT, Cisco Switch, etc. This creates a network environment that has a more realistic feel to it. Also, by having different systems with different services, such as a Linux DNS server, a Windows NT webserver, or a Solaris FTP server, we can learn about different tools and tactics. Perhaps certain blackhats target specific system or vulnerabilities. By having numerous different systems, we are more likely to discover these differences.

All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems more insecure. The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organizations today.

2. Aren't honeypots trivial to detect?
This is true of classic honeypots that EMULATE an operating system, but only if the attacker is skilled enough to know how to recognize that things are not right. If designed well, the Honeynet is harder to detect because it uses standard operating systems and filters network traffic in a conservative manner. Further research is ongoing that will mix the Honeynet into live production networks, make the filtering even less noticeable, and making it even harder (ideally making it impossible) to distinguish the Honeynet systems from the real production systems.

3. What do you do to attract blackhats to your Honeynet?
Absolutely nothing, that is the scary part. The Honeynet Project merely puts systems on a dedicated Internet connection and sits back and wait. The blackhat community is extremely aggressive, you would be surprised at what they will find. The only type of 'marketing' the Project has done is at times register one of the systems as a DNS server for a domain name. This was done to determine what threats are faced by DNS servers.

4. Just how hostile is the blackhat community?
The blackhat community is extremely belligerent, they are constantly probing for and exploiting a variety of vulnerabilities. The following finding demonstrates this issue.

"Based on the research of the Honeynet Project, the life expectancy of a default, unsecured installation of Red Hat 6.2 server is less then 72 hours. The last time we attempted to confirm this, the system was compromised in less then 8 hours"

5. Once compromised, can't the bad guys use one of your honeypots to attack someone else?
That risk exists, however the Honeynet Project has done everything possible to mitigate that risk. We use several layers of access control devices that limit and control what type of outbound connections are allowed, and how many. To the best of our knowledge, no one has breached the security measures we have put in place. We will release a detailed paper soon on how we build and maintain a Honeynet.

6. Do you prosecute the people that compromise systems within the Honeynet?
No. The prime directive of the Honeynet Project is to learn, and share those lessons learn. However, at times we do forward data we capture to the authorities, CERT, and the SANS GIAC program. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.

7. Aren't honeypots a form of entrapment?
We are not lawyers, so we cannot determine that. However, we believe that the Honeynet Project is not entrapment for the following reasons:

We do not prosecute individuals, only learn about them and share those lessons learned.
There is no difference between our honeypots that reside in the Honeynet and systems on the Internet. We do nothing to make the systems more insecure. We just analyze more closely all data to and from the systems.
We do nothing to attract the blackhat community. They find, attack, and exploit our honeypots completely on their own initiative.

8. Do you have a maillist I can join?
The Honeynet Project does not maintain a public maillist. We just do not have the time or resources to maintain one. Also, our postings are infrequent, which really do not justify the need of one. Instead, we will post all announcement to commonly used security lists, such as incidents@securityfocus.com.

9. How can I join or become involved with the group?
The Project is limited to 30 active members, of which we have currently maxed out. We have done this so the group can be easily managed. Remeber, the group is spread out around the world, working only in our freetime, so having a limted number makes management much easier. However, we want to work with the security community as much as possible. If you have any ideas on how you can help the Honeynet Project, or how the Honeynet Project can help the security community, please drop us an email at project@honeynet.org.

10. Can someone from the Honeynet Project speak to our organization?
The goal of the Honeynet Project is to learn, and share those lessons learned. Whenever possible, we enjoy sharing those lessons by speaking to other organizations. However, this is not always possible, as all of our research is done in our own time. All team members have full time commitments with other employers, as such we may not be able to meet all requests. If you are interested in having a team member speak to your organization, drop us an email at project@honeynet.org. The only other thing we ask is that organizations pay for our travel expenses. As our orgnization has no income, we cannot pay for such expenses ourselves.

11. How do I get started in the security field?
The security field is relatively new, there really is no set path to certification. Doctors, laywers, accounts, all these fields have predetermined paths, courses, and certifications defining how you get started within these professions. Security is different in that there is no real defined path that we know of. So, part of the challenge to you is defining it your self. We recommend that you start by learning as much as you can technically. Your degree is not so much important here as what you can learn on your own (many of the Honeynet members have History or Philosophy degrees, if any). Read books, join security mail lists, such as the ones sponsored by securityfocus.com, read whitepapers, attend security conferences such as SANS or CanSecWest, and build your own lab. Having access to your own systems is one of the best ways to learn. Reading about technologies is one thing, but playing with and understanding them is another. The more mistakes you make in your lab, the faster you learn. The next step is to take this technical background and use it. Find any place that will utilzie these skills. Remember, some of the best security professionals have system administration and networking backgrounds. Learn the basics first. One you have accomplished these issues, opportunities will happen. The more you know and learn, the more opportunities you will find.