Deception Technologies and Physical Security
Key Takeaways
- A honeypot is a decoy system; a honeynet is a collection of decoys that simulate a broader environment.
- Deception technologies help detect unauthorized activity, study behavior, and slow attackers, but they must be isolated.
- Physical security protects network rooms, cabling, ports, racks, power, cooling, and removable media.
- Controls such as locks, badges, cameras, guards, mantraps, and visitor logs reduce unauthorized physical access.
- Physical access can bypass many logical controls, so network designs should protect both the device and the management path.
Deception and Physical Protection
Not every security control is a firewall rule. Some controls are designed to reveal suspicious behavior. Others protect the physical places where network equipment, cabling, and power exist. Network+ questions often ask which control best detects unauthorized activity or prevents physical access to infrastructure.
Honeypots and Honeynets
| Technology | Meaning | Example |
|---|---|---|
| Honeypot | A decoy system intended to attract or reveal unauthorized activity | Fake SSH server in a monitored network |
| Honeynet | Multiple connected decoy systems | Simulated subnet with fake web, database, and file services |
| Honeytoken | Decoy credential, file, URL, or record | Fake API key that alerts if used |
A honeypot should not hold production data or provide a path into production systems. Its value comes from the fact that legitimate users should rarely interact with it. A connection attempt, login attempt, or file access can be a high-signal event.
Deception Design Choices
| Goal | Design consideration |
|---|---|
| Detect scanning | Place decoys where unauthorized internal scans would find them |
| Study attacker behavior | Capture logs and traffic in an isolated environment |
| Slow attacker movement | Use believable but controlled decoy services and credentials |
| Protect production | Ensure the decoy cannot be used as a pivot into real systems |
| Reduce noise | Avoid placing decoys where normal monitoring or vulnerability scans will constantly trigger alerts |
Deception systems need maintenance. If a fake server has an unrealistic banner, stale operating system details, or no believable services, it may not be useful. If it is too connected, it can become a liability.
Physical Security Controls
| Control | Purpose |
|---|---|
| Locked racks and cabinets | Prevent unauthorized device access, cable moves, or console access |
| Badge access | Restrict entry to network closets, server rooms, and data centers |
| Visitor logs and escorts | Track and supervise non-employees |
| Cameras | Deter and support investigation of physical activity |
| Mantrap | Allows one person through a controlled entry path after authentication |
| Security guard | Human verification, response, and enforcement |
| Cable locks | Protect laptops, small switches, or temporary equipment |
| Port locks or disabled ports | Prevent unauthorized use of wall jacks or switch ports |
Physical access can enable console password recovery, rogue device installation, cable taps, device theft, power interruption, or reset of network gear. A strong network policy can fail if an attacker can walk into a closet and connect directly to a switch.
Environmental and Infrastructure Protection
Network equipment depends on stable power, cooling, and cabling. Physical security includes environmental controls:
- UPS and generator support for power continuity.
- Rack airflow management and temperature monitoring.
- Fire detection and suppression appropriate for electronics.
- Water leak detection in network rooms and data centers.
- Labeling and cable management to reduce accidental disconnects.
- Locked demarcation and telecom spaces.
- Separate paths for redundant circuits where possible.
Scenario Decisions
| Scenario | Best control |
|---|---|
| Unknown devices are plugged into lobby wall ports | Disable unused ports, use NAC, or install port locks |
| Network closet is shared with general storage | Lock and restrict access to the closet |
| Security wants high-signal alerts for lateral movement | Deploy isolated honeypots or honeytokens |
| Data center requires strict single-person entry control | Mantrap with badge or biometric process |
| Switches are frequently unplugged during cleaning | Locked cabinet and cable management |
Common Traps
- A honeypot is not a backup server or production failover system.
- A honeynet must be isolated from production paths.
- Cameras are detective and deterrent, but they do not physically stop entry by themselves.
- A locked front door does not protect an unlocked network closet in a public hallway.
- Logical controls do not remove the need to secure console ports, racks, and cabling.
A security team wants high-signal alerts when an internal attacker scans for file servers. Which control best fits?
Which controls help protect a network closet? Select three.
Select all that apply
What is the main difference between a honeypot and a honeynet?