Network Computingwww.networkcomputing.com

For Microsoft Windows shops, Infinitum's BackOfficer Friendly, Network Associates' CyberCop Sting and Specter are all good choices. Specter can emulate many Oses--including Apple Computer MacOS, Digital Equipment's Unix, Linux, Microsoft Windows SGI Irix and Sun Microsystem's Solaris. Sting runs on Microsoft Windows NT, Solaris and Cisco Systems' IOS. BackOfficer Friendly is a personal alarm system that watches for Back Orifice (a Windows Trojan program by the Cult of the Dead Cow) activity rather than a full-blown honey pot, but it also emulates and monitors various services (including ftp, telnet, SMTP, HTTP and POP3). However, BackOfficer Friendly does not emulate other OSes.

On the Unix front, there is the free Deception ToolKit (known as DTK) from Fred Cohen & Associates. DTK is distributed as a learning tool and honey-pot effort, and provides emulation of the most services of any package (in fact, more than double any commercial package). Since it's programmed in Perl, it should--in theory--run on any Unix system. However, it come up short in some areas. It's possible to remotely determine that some of the services are emulated, and there is no consistency across the services as to what OS they are trying to represent. Like BackOfficer Friendly, DTK does not do any network-level OS emulation, so an attacker can use an OS identification tool, such as Nmap, to determine the actual platform, which may ruin the facade the honey pot is trying to present and otherwise alert the intruder.

For Solaris-based systems, there's Recourse Technologies' ManTrap and GTE Technology's NetFacade. NetFacade can emulate services found in Cisco IOS, Linux, Solaris, Irix and Windows NT. In addition, it's the only honey pot I sampled that lets you select different versions of the services to run (such as SSH 1.2.26 or 2.0.9; imapd 9.157, 10.205, 10.223 or 10.234). This helps match emulated services to those you offer on your production system. ManTrap is unique. While all the other honey-pot packages try to emulate the services provided by different OSes, ManTrap provides the real thing. It makes a copy of your full Solaris install and runs this copied system in a "jail" configuration. This means all the services offered by the system are the real McCoy--no emulation is used. ManTrap achieves this by making modifications to how the base Solaris system operates, including changes to the proc filesystem and the kernel.

Of course, you do not need a dedicated, elaborate software package to set up your own honey-pot system. In fact, there have been various published papers describing successful honey-pot systems built from base OS installations. You can take a standard OS installation, combine it with a network sniffer and use this combo as a honey pot. The network sniffer lets you log all incoming traffic to the honey pot. However, this method requires expertise in system administration and traffic analysis--two particular aspects the dedicated honey-pot packages help automate.