A honeypot is primarily an instrument for information gathering and learning. Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them.
The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself.
All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot of other possibilities for a honeypot - divert hackers from productive systems or catch a hacker while conducting an attack are just two possible examples. They are not the perfect solution for solving or preventing computer crimes.
Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network security. In the right hands, a honeypot can be an effective tool for information gathering. In the wrong, unexperienced hands, a honeypot can become another infiltrated machine and an instrument for the blackhat community.
Honeypot is an intrusion detection system. Intrusion Detection System (IDS) is a security mechanism whose main function is to detect incorrect, malicious or anomalous activities inside a network.
This tool runs constantly in the background and does not cause great interferences in the normal functioning of the network. When this mechanism detects some action that is suspicious or illegal it is capable of generating a notification to the network administrator. Also, it can try to interact with hosts, firewalls and routers to prevent or to brighten up the actual damages of the incident.
Honeypots are neither like Firewalls that are used to limit or control the traffic coming into the network and to determine attacks neither is it like IPS (Intrusion Prevention Systems) which is used to prevent attacks. However it can be used along with these.
Honeypots does not solve a specific problem as such, it can be used, to detect attacks, to gather information, to act as an early warning or indication systems etc. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud.
It is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand. The basic definition of honeypots is: A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource .
The main aim of the honeypot is to lure the hackers or attacker so as to capture their activities. This information proves to be very useful since information can be used to study the vulnerabilities of the system or to study latest techniques used by attackers etc.
For this the honeypot will contain enough information (not necessarily real) so that the attackers get tempted. (Hence the name Honeypot - a sweet temptation for attackers)Their value lies in the bad guys interacting with them. Conceptually almost all honeypots work they same. They are a resource that has no authorized activity; they do not have any production value.