KFSensor
KFSensor appears to be the only virtual honeypot in this review with a clear sense of what it takes to appear to be a Windows host. Like Honeyd-WIN32, KFSensor is a low-interaction honeypot. Unlike Honeyd-WIN32, KFSensor comes with 77 preconfigured ports (58 TCP ports and 19 UDP ports). Most of the ports are found in typical Windows environments, although KeyFocus has thrown in some arbitrary Trojan horse ports to attract intruders scanning for vulnerable hosts. The installation is simple—you just download the software and execute. Helpful GUI wizards guide the way, letting you input information during each step. Additional wizards and documentation are available with each click of the mouse.
KFSensor offers simple service emulation for IIS, FTP, Telnet, and Exchange. Connections to IIS result in a standard Under construction page. Connections to port 25 result in a realistic Exchange text banner reply, and the service emulation accepts a limited number of basic SMTP commands. KeyFocus could have easily done the same for other common Exchange server ports, such as the POP3 and IMAP ports, but for some reason didn't. KFSensor does basic mimicking of Terminal Services for RDP connections, Symantec's pcAnywhere, Citrix MetaFrame, Virtual Network Computing (VNC), WinGate, and more. You can use control codes and scripts to customize each port and service emulation. During testing, the pcAnywhere remote client thought it was briefly connected to a live host connection before terminating.
KFSensor accurately mimics open NetBIOS and Windows RPC ports, giving the honeypot a realistic Windows response. Unlike the other honeypots in this review, KFSensor is the only honeypot to offer this feature out of the box. This functionality puts KFSensor in the top echelon of Windows honeypots.
KFSensor understands the importance of alerts and logging. KFSensor's GUI tracks security events by several different characteristics, including port, time, attacker, and severity. As Figure 2 shows, you can define which events correlate to what levels of severity, and trigger logs and alerts accordingly. You can have KFSensor email (in regular or short message formats) formal alerts, write them to the Windows event log, or record them on a syslog server. (UNIX/Linux administrators commonly report and log security events on syslog servers. Although Windows has no native syslog services or reporting tools, several Windows-based syslog services exist to fill the gap, such as Kiwi Enterprises' Kiwi Syslog Daemon, which you can download for free at http://www.kiwisyslog.com.) You can also have KFSensor interact with any external alerting or logging program you choose. KFSensor is sophisticated enough to let you decide how many seconds to wait before sending additional alerts and what severity level the event needs to be before initiating an alert. This feature is especially helpful because it lets you avoid, for example, receiving hundreds of separate alerts at 2:00 a.m. from a simple port scan.
KFSensor excels at nearly everything it does, but it has some weaknesses:
- KFSensor isn't nearly as flexible or scalable as Honeyd-WIN32. For example, because KFSensor operates at the application layer, it can't simulate the IP stack and doesn't contain settings to simulate network routes, system timestamps, latency problems, and so forth (although to be fair, most intruders would miss these details). In addition, KeyFocus doesn't recommend supporting more than 256 ports per host, whereas Honeyd-WIN32 can support thousands of ports and IP addresses per host.
- Like other application-level honeypots, KFSensor can respond to only the IP address assigned to its host. By comparison, Honeyd-WIN32 can emulate a multitude of IP hosts and networks.
- Although KFSensor mimics more default services than any other honeypot in this review, some of Honeyd-WIN32's default scripts offer better service emulation.
- KFSensor doesn't capture network and packet-level information, which is crucial to most honeypot administrators.
- KeyFocus provides only email support. No phone support is available, but the company quickly responds to email messages.
Priced at $990 for a single copy, KFSensor is the most expensive honeypot software in this review. However, if you want a feature-packed Windows honeypot that's easy to install and use, KFSensor is the clear choice for you.
Register
