RE: Honeypot/net IDS System

["Michael" <michael () insulin-pumpers org>]

>  After a quick thinking on use of honeypots, i have some few things
>  to
> wonder.
>  - If the applications like SMTP are fully secured using the
> anitspam,anitvirus softwares before a security patched server, then
> what is the role of HoneyPot in the network .

It raises the price that spammers must pay to send their junk. In the 
case of a winduhs based zombie, if there are enough tarpits the 
systems will crash and eventually (hopefully) the user will clean it 
up. I've seen systems stuck in our tarpits do this repeatedly as they 
reach their task limit and die.

>  - Using Honeypots will only increase the traffic onto the LAN under
> consideration as it attracts hackers to come in

Depends on the type of tarpit. One that simply mimicks a slow smtp 
server will certainly increase overall traffic. A true TCP/IP tarpit 
that you DO NOT ADVERTISE will trap the spammers that attempt to send 
stuff to your site, eliminate the traffic from the spam from your 
network (bandwidth) at the IP stack level as well as all the bounce 
traffic (x3) that rejected messages would have created.

>  - honeypots can only trace out the hacker but it cant identify a
>  possible
> threat, unless administrator goes thro the logs it is difficult to
> identify.

yep
>   A most helpful solution could be honeypot working in hand with
>   intrusion
> protection systems or NIDS. Currently, with the tools ADMMutate NIDS
> are being cheated, Honeypot with NIDS can attract the hacker and we
> can know his real intentions using enhanced honeypot . I believe
> this would be a good combination.

It is necessary to seperate the function of a honeypot. One setup 
exclusively to deal with spammers serves one purpose. Worm/hack 
honeypots serve another and the information and usefulness is very 
different. Those are two separate discussions. What you say above is 
true for worm/hack attacks but is not really applicable to spam 
tarpits.
Michael () Insulin-Pumpers org