A honeypot is a network server designed to trap would-be attackers before they invade your real servers and services. Take a linux or Unix workstation, create an environment where you can fool attackers into thinking they have root access when they really don't, and monitor their every move. If the honeypot gets trashed, so what. Better that than your servers, right?

Now I may catch hell for saying this, but installing a honeypot should be close to the bottom of your list of network security priorities. Let's face it. You have better things to do with your time. You must maintain your firewall, monitor your IDS (Intrusion Detection System), recover lost passwords, keep track of the latest security patches and schedule the updates. Why tackle these chores, when you have a hundred other tasks that directly effect your network's security?

In fact, honeypots don't add to security in any fundamental way; they complicate it. Now you have one, or more, servers that must be doubly secured. That is because a honeypot needs to be secured with one or two well-placed holes so attackers can get in. The host server also must be secured and constantly monitored, so intruders can't break out of the honeypot.

Even if you could jump through all of these hoops, your first and foremost goal in network security should be to only allow authorized users access to network resources. All others should be denied access. This is an example of the "default deny security" stance: All that is not allowed is denied. The implication of this is that you have to actively allow access to users and violations should be clearly visible. Yet honeypots violate that stance by inviting unknown attackers to access one of your systems. Once an attacker has access to even one system, they are one step closer to your network. Remember, it isn't the known attacks that will put your network in the hands of an intruder.

Now, as network folk are prone to do, let me equivocate and say that while honeypots should be near the bottom of your priority list there's really only one good reason to have one and that's to prosecute crackers. But beware that the law is very unclear about the use of honeypots for legal prosecution and you'll need to check with your lawyer and local FBI about their uses. Education, distraction and obscurity are not good reasons for a honeypot, --because you can learn more at Packet Storm (an online security site), crackers will leave an uninteresting server, and there isn't much you can hide from a knowledgeable cracker.

Send your comments on this column to Mike Fratto at mfratto@nwc.com.