Internally And Externally Facing Honeypots

Honeypots are great security tools – you install a “decoy”, which attracts malicious traffic. They have certain ports open and they work with certain protocols, mimicking regular interactions, e.g. SSH, RDP, Telnet, HTTP. Usually, at least in introductory materials, honeypots are assumed to be externally-facing (e.g. installed in the DMZ). This means attackers can see it in the open internet and you can collect valuable information.

However, there can be a different mode for honeypots – internally-facing. In normal circumstances, they’d be completely silent. Only in case of a real intruder (doing lateral movement) or during security audits and pentests they will collect data (otherwise nobody has any business poking in that IP address).

It makes sense to have both types of honeypots. Here are the positive sides of an externally facing honeypot:

  • Constantly collects threat information (IPs, attempted passwords, attempted protocols) and apply this knowledge in other tools (e.g. insert IPs in SIEM/Firewall)
  • Distinguish automated probes from human intrusion attempts
  • Visualize trends in malicious activity

And the benefits of internally-facing honeypot:

  • Get alerted in case of lateral movement. Almost every hit on the internal honeypot needs to be investigated immediately
  • No risk for allowing intruders in through 0days in the honeypot software stack
  • Not consuming much resources (the external honeypot has to services potentially many requests; the internal one is serving 0 if everything is fine)

Leave a Reply

Your email address will not be published.