I'm interested to see if anyone here who administers a large environment (200-500 Servers), and has a very large public customer base (100,000+), has set up (or has at least considered setting up) a honeypot? I'm specially interested for those that provide services to nasty/evil/hostile networks.
If you have set one up, can you elaborate on your experience? In fact, please comment if you don't consider your environment to be large, even a small environment that contains some hostile networks is perfect!
I'm planning to set one up where I work, but naturally that will start with a few battles from management, naturally. There are risks - the biggest risk would be that things are not setup correctly, and your production servers join your honeypot "cluster", or simply that information about your network leaks out (any information is too much information).
Production Honeypots
A production honeypot is used to assist an organization in protecting its internal IT infrastructure whereas a research honeypot is used to accumulate evidence and information in order to study hackers’ or the blackhat criminal attack patterns and motives.
Production honeypots are valuable to the organization especially commercial, as it helps to reduce or mitigate risk that a specific organization faces. Production honeypots secure the organization by policing its IT environment to identify attacks. These production honeypots are useful in catching hackers with criminal intentions. The implementation and deployment of production honeypots are relatively easier than research honeypots.
You want Honeyd - Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to 65536 - on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.
Honeypots are extremally useful for any environment and they don't need to be anything fancy or crazy.
Examples that we do:
-Create a fake account on or mailserver (say userX) with a few fake links in his mailbox (things like user directory link, payment link, etc all pointing to an internal server). Now we monitor any access to these pages via the logs and we know that if we ever see access to them is because someone is reading someone's else email or broke to the system.
-Add a non-published system with non-used IP to our network. Any access to them is probably caused by a scan or maybe bad-configured system (yes, it happens).
And many other things... These little "honeypots" are so easy to setup and the benefits are amazing. We even had a system admin fired for looking at a fake payroll link.
I have to be blunt and say if I was your manager I would shut down that idea before it even started. There are too many risks and zero benefits associated with setting up a honeypot within a large IT environment.
Could you elaborate on why you would want to do this? Aren't honeypots largely confined to security researchers? What are you trying to achieve?