Besides the honeypot itself, you need the following components to operate a honeypot:
Network device hardware: The network devices will consist of firewalls, routers, and switches. Figure 1-2 shows an example of a honeypot deployment. We will cover honeypot deployment in Chapter 2.
Figure 1-2: A sample honeypot deployment
Monitoring/logging tools: Key to having a honeypot is monitoring and logging what the hacker is doing. Every honeypot will usually have a few monitoring and logging tools reporting to a centralized monitoring workstation.
Management workstation: A monitoring and logging workstation collects the data from the honeypot or honeynet. In a scenario where the honeypot is placed on the DMZ, the monitoring workstation is usually the only physical link between the network segment the honeypot is on and your production network. For that reason, great protection must be taken to prevent hackers from discovering the monitoring/logging workstation. In reality, if you use an Ethernet switch, this isn’t too difficult to do. The management workstation will become the central place for monitoring, logging, and alerting.
Alerting mechanism: Every honeypot must have an alerting mechanism built in so that the administrator does not need to constantly check the honeypot for action. When something happens on the honeypot, it is usually malicious. Now whether you want to be awakened in the middle of the night because of a simple port probe is up to you, and we will discuss this in Chapter 10.
Keystroke logger: A keystroke logger is needed to capture the hacker’s typed commands.
Packet analyzer: A packet analyzer (or sniffer) is essential in capturing everything that goes on between the honeypot and the outside world. Many honeypot administrators use the Snort IDS, in packet sniffing mode, as their analyzer. We will cover packet analyzers in Chapter 9.
Data backup: A tape or disk backup must be used to back up the hacker’s modifications and could also be used to restore the compromised honeypot to an unaltered state in between hacker compromises.
Forensic tools: Start downloading and developing your forensic tools now (we will cover some of these tools in Chapters 10 and 11). A crucial requirement is a way to note every change that happens to the honeypot.
Research resources: Every honeypot administrator has stacks of his or her favorite research books, piles of printed information from the Web, and a large list of favorite security sites. These are resources to use in analyzing what the hacker did and why.
Additionally, a honeypot needs an administrator—someone to create it, to monitor it, and to keep it updated as honeypot technology improves. A general rule of thumb, according to The Honeynet Project (http://www.honeynet.org), is administrators will spend 30 to 40 hours analyzing honeypot data for every 30 minutes of hacking against a high-interaction honeypot (one that offers all layers of the OSI model, as described in the “Honeypot Interaction Levels” section later in this chapter). Of course, your mileage will vary according to your honeypot objectives. Some honeypots monitor only one port and rarely require modification unless something goes wrong. Most honeypot administrators must be familiar with the OSI network layer reference model in order to properly diagnosis hacking attacks. We will cover the OSI model in more detail in Chapter 9.
Each of these components will be covered in significantly more detail throughout this book. This section just gives you a quick picture of what it takes to run a honeypot.