This chapter covers designing and deploying a honeypot system. It will help you decide which type of honeypot is best for you, where to place it, and how to configure it to meet your goals.
As you saw in Chapter 1, a honeypot is more than just a single piece of software or hardware. It has several other supporting components, such as tools for alerting, monitoring, logging, and analyzing data. And let’s not forget the most important component: the administrator. For this reason, I will refer to a honeypot or honeynet with its related components as a honeypot system.
Deploying a honeypot system should be a methodical, well-thought-out process. You can just throw one out there and hope for the best, but proper planning will ensure a successful honeypot system deployment. This section lists the steps, in order, for deploying a honeypot system. All of the summarized steps will be covered in more detail in the remainder of this book.
Read as much as you can about honeypots to get a thorough understanding of the task ahead. Know basic honeypot theory, especially the concepts of data control and data capture.
Confirm that honeypots are allowed in your environment. If you are setting up a honeypot as an employee, make sure to get the appropriate approvals. Adding a honeypot to your environment incurs additional risks—both technical and legal—that the organization may not want to support.
Define the goals of your honeypot. Why do you want to run a honeypot? Is it for research or to protect your production environment?
Define the human roles in creating and maintaining a honeypot. Do you have the technical expertise to correctly deploy and maintain a honeypot? Do you have the software and hardware necessary to deploy a honeypot? Do you have the extra hours in your workday that it will take to appropriately maintain the honeypot and do data analysis? Discuss the continuing education needed to keep up with the honeypot and new exploits.
Figure out what type of honeypot you will deploy: research or production, real or virtual.
Define, install, and configure the physical network devices needed to create your honeypot.
Plan and configure the other supporting honeypot components and tools (alerting, logging, monitoring, management, and so on).
Collect your own set of monitoring, logging, and forensic analysis tools.
Develop a recovery plan. How are you going to restore the honeypot system back to an unaltered state after the current exploit event is finished?
Deploy the honeypot and its supporting components.
Test the deployment. Use vulnerability assessment and penetration testing tools against your honeypot system to see how well the system works.
Analyze the results and eliminate any deficiencies.
Fine-tune the honeypot system based on lessons learned.
Repeat steps as necessary.
If it’s set up correctly, your honeypot system should be constantly evolving from lessons learned, better tools, and changing goals. A honeypot is rarely a static, unchanging system. It learns and grows with you.