Is there a real advantage to implementing a "honeypot" in the DMZs on a network? The only reason I can think of is to lure would-be intruders to that machine instead of having them compromise production servers...any input is greatly appreciated.
Honeypots are primarily deployed for exactly the reasons you describe -- to distract would-be attackers from the real servers. Using a honeypot may give you the opportunity to detect and respond to an attack (on the bogus system) before the attackers are able to do any real harm.
Whether or not to deploy a honeypot is something you should consider carefully. In order to be effective, a honeypot must appear real enough to attackers to attract their interest, but must (of course) not contain any data or information of real value. This can be a difficult balance to obtain. And the honeypot itself must be specially secured, so that it could not be used to compromise other hosts on your network.
You should consult with your legal department to determine whether there are any legal issues within your organization, state, or country, relating to the use of a honeypot. This may include your own liability if your honeypot is compromised and used to attack others, as well as what you can and can?t do. For example, you may be able to passively monitor and record all activity, but may NOT be able to take any direct or retaliatory action against your attackers. You would also need to consider what is and is not acceptable as evidence, should you ever intend to prosecute any attackers.
Given all of the above, you should consider whether your time and security efforts are better spent configuring, monitoring, and maintaining a honeypot, or configuring and deploying additional security and monitoring on your ?real? servers. Security is always an equation that balances cost, risk, and business need; the answer for each organization is different.
This was first published in June 2001