Book Review: "Honeypots for Windows", Roger A. Grimes


"Honeypots for Windows", Roger A. Grimes, 2005, 1-59059-335-9, U$39.99 %A Roger A. Grimes %C 2560 Ninth Street, Suite 219, Berkeley, CA 94710 %D 2005 %G 1-59059-335-9 %I Apress %O U$39.99 510-549-5930 fax 510-549-5939 %O

formatting link
formatting link
formatting link
Audience i+ Tech 2 Writing 1 (see revfaq.htm for explanation) %P 392 p. %T "Honeypots for Windows"

Now, we all know that honeypots can be fun: turning the tables on the blackhats, and watching what they are doing for once. We'll even acknowledge that the information honeypots provide can be useful, teaching us the types of approaches and activities that intruders are likely to undertake. But Grimes, in the introduction, stresses the position that honeypots are important security tools used for protection: that the extensive employment of honeypots will somehow "put an end" to script kiddies and the myriad attacks we see flying around the nets.

Part one is about general honeypot concepts. Chapter one is an introduction to honeypots, looking at different honeypots and some common attack types, and has an extremely terse mention of the fact that there are risks associated with using honeypots. Components and simple topologies for honeypots are listed in chapter two.

Part two moves specifically to Windows honeypots. Chapter two lists the ports that a Windows computer typically has open, and provides some (but not much) information on how the major ones work. A set of questions to ask yourself about how you want to operate and configure your honeypot are in chapter three, along with generic advice about hardening the computer if you use Windows as the native operating system. There is a table of services that you might want to turn off. There is also an inventory of programs you may wish to remove: it contains rather dated entries such as edlin.exe, but doesn't mention items such as tftp.exe. Chapters five to seven are concerned with the honeyd program and its Windows port, first in regard to description and installation, then configuration options, and finally service scripts. Other honeypot programs; Back Officer Friendly (BOF), LaBrea, SPECTER, KFSensor, Patriot Box, and Jackpot; are outlined in chapter eight, with the commercial entries getting the bulk of the space.

Part three deals with the operation of honeypots. Chapter nine has some basic traffic analysis information, mostly documentation for the use of the Ethereal packet sniffer and the Snort intrusion detection system. A number of tools for monitoring your system are listed in chapter ten. Even though the title is "Honeypot Data Analysis," most of chapter eleven records more monitoring tools. Grimes reprises some of his stuff from "Malicious Mobile Code" (cf. BKMLMBCD.RVW), and adds a catalogue of assembly tools, to talk about analysing such code in chapter twelve.

As a compilation of utilities, the book will probably be a handy reference for those who are interested in trying out a honeypot, or possibly just getting more information from their Windows computer. Network administrators who are seriously interested in actually running a honeypot or reviewing the data thus collected should probably look into "Know Your Enemy" (cf. BKKNYREN.RVW) or "Honeypots" (cf. BKHNYPOT.RVW), both by Spitzner.

copyright Robert M. Slade, 2005 BKHNPTWN.RVW 20050614

====================== (quote inserted randomly by Pegasus Mailer) In theory, there is no difference between theory and practice, but, in practice, there is. - Jan L.A. van de Snepscheut

formatting link
formatting link

Reply to
Rob Slade
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.