Managed Security Services

The Honeynet Alliance

If you want to get involved in a worldwide project that is setting up systems to track hacker activity, consider these words of wisdom before you dive into the project.

by Alex Goldman ISP-Planet Associate Editor [March 14, 2003]

Want to join the Honeynet Project?

You've read our reviews of the honeynet books, and you want to participate in the search for knowledge about hackers. Where should you start?

Lance Spitzner, author of one book and lead author of the other, told us, "of course, an ISP should focus on security basics first. You need to turn off the services you don't need, making sure that secure and patch the services you do need. The Slammer worm is a great example: It attacked a vulnerability that was six months old."

Spitzner understands that ISPs are already putting a great deal of time into security. "Honeypots require a lot of time and a lot of work," he told ISP-Planet. "If you have the time, that's great, but if you're struggling to keep up with security patches, you should not be doing honeypots."

That said, honeypots are easy to deploy. Spitzner says his first honeypot used a simple ISDN line (partly to limit the damage a hacker could do if she seized control of the machine). Honeypots require neither expensive hardware nor expensive bandwidth.

Honeypots do require knowledge. SecurityFocus has built a honeypot mailing list whose rules of etiquette and procedure can be found here.

If an ISP does have the resources to start working on honeypots, they can join the Honeynet Research Alliance, which is run by The Honeynet Project.

Spitzner says that universities are the institutions that are most likely to have the skills and the resources available to devote to hacker research.

If you are serious about deploying honeypots, buy either or both of Spitzner's books. The chapter in Honeypots: Tracking Hackers about potential legal liabilities is especially important for anyone in the U.S. who is considering deploying a honeypot.

—End