Deception Technologies and Physical Security
Key Takeaways
- A honeypot is a decoy system; a honeynet is a collection of decoys that simulate a broader environment.
- Deception technologies help detect unauthorized activity, study behavior, and slow attackers, but they must be isolated.
- Physical security protects network rooms, cabling, ports, racks, power, cooling, and removable media.
- Controls such as locks, badges, cameras, guards, access control vestibules, and visitor logs reduce unauthorized physical access.
- Physical access can bypass many logical controls, so designs should protect both the device and the management path.
Deception and Physical Protection
Not every security control is a firewall rule. Some controls reveal suspicious behavior; others protect the physical places where network equipment, cabling, and power live. Network+ asks which control best detects unauthorized activity or prevents physical access to infrastructure.
Honeypots and Honeynets
| Technology | Meaning | Example |
|---|---|---|
| Honeypot | A decoy system meant to attract or reveal unauthorized activity | Fake SSH server in a monitored network |
| Honeynet | Multiple connected decoy systems | Simulated subnet with fake web, database, and file services |
| Honeytoken | A decoy credential, file, URL, or record | Fake API key that alerts when it is used |
A honeypot should not hold production data or provide a path into production systems. Its value comes from the fact that legitimate users should rarely touch it, so a connection attempt, login attempt, or file access is a high-signal event. A honeynet strings several decoys together to look like a believable subnet and observe lateral movement.
Deception Design Choices
| Goal | Design consideration |
|---|---|
| Detect scanning | Place decoys where unauthorized internal scans would find them |
| Study attacker behavior | Capture logs and traffic in an isolated environment |
| Slow attacker movement | Use believable but controlled decoy services and credentials |
| Protect production | Ensure the decoy cannot be used as a pivot into real systems |
| Reduce noise | Avoid placing decoys where normal monitoring or vulnerability scans constantly trigger alerts |
Deception systems need maintenance. A fake server with an unrealistic banner, stale OS details, or no believable services is useless; one that is too well connected becomes a liability and a pivot point. The exam frames deception as a detection control, not a substitute for patching or segmentation.
Physical Security Controls
Physical access can enable console password recovery, rogue device installation, cable taps, device theft, power interruption, or a factory reset of network gear. A strong network policy fails if an attacker can walk into a closet and connect directly to a switch.
| Control | Category | Purpose |
|---|---|---|
| Locked racks and cabinets | Preventive | Prevent unauthorized device, cable, or console access |
| Badge access | Preventive | Restrict entry to closets, server rooms, data centers |
| Visitor logs and escorts | Detective/administrative | Track and supervise non-employees |
| Cameras (CCTV) | Detective/deterrent | Deter and support investigation |
| Access control vestibule (mantrap) | Preventive | Allow one authenticated person through at a time |
| Security guard | Preventive/detective | Human verification, response, enforcement |
| Cable locks | Preventive | Protect laptops, small switches, temporary gear |
| Port locks / disabled ports | Preventive | Prevent use of wall jacks or switch ports |
| Asset tags and tamper seals | Detective | Reveal theft or unauthorized opening of equipment |
| Biometric reader | Preventive | Strong identity at high-security entries |
Environmental and Infrastructure Protection
Network equipment depends on stable power, cooling, and cabling. Physical security includes environmental controls:
- UPS and generator support for power continuity.
- Rack airflow management (hot-aisle/cold-aisle) and temperature monitoring.
- Fire detection and clean-agent suppression appropriate for electronics, not water-only systems over racks.
- Water leak detection in network rooms and data centers.
- Labeling and cable management to reduce accidental disconnects.
- Locked demarcation and telecom (MDF/IDF) spaces.
- Separate physical paths for redundant circuits where possible.
Scenario Decisions
| Scenario | Best control |
|---|---|
| Unknown devices plugged into lobby wall ports | Disable unused ports, use NAC, or install port locks |
| Network closet shared with general storage | Lock and restrict access to the closet |
| Want high-signal alerts for lateral movement | Deploy isolated honeypots or honeytokens |
| Data center needs strict single-person entry | Access control vestibule with badge or biometric process |
| Switches unplugged during cleaning | Locked cabinet and cable management |
Common Traps
- A honeypot is not a backup server or production failover system.
- A honeynet must be isolated from production paths.
- Cameras are detective and deterrent; they do not physically stop entry by themselves.
- A locked front door does not protect an unlocked network closet in a public hallway.
- Logical controls do not remove the need to secure console ports, racks, and cabling.
Worked Scenario
A branch office reports that a switch in an unlocked utility closet keeps losing power and that an unfamiliar small device appeared plugged into a wall jack in the lobby. Two distinct physical risks are present. First, the unlocked closet allows accidental power loss and unauthorized console access — the fix is a locked rack or cabinet, restricted badge access, and labeled, managed cabling so cleaning staff cannot unplug equipment.
Second, the unknown lobby device is a potential rogue device or packet tap — the fix is to disable unused switch ports, enable NAC so an unprofiled device lands in a quarantine or guest VLAN, and consider port locks on exposed jacks. Notice that neither fix is a firewall rule; both are physical or NAC controls, because the threat is physical proximity to infrastructure. The exam frequently pairs a physical symptom with a tempting but wrong logical answer (for example, 'add a deny ACL') to test whether you recognize that an attacker with console access can reset the device and erase that ACL entirely.
Control Categories
Network+ also groups controls as preventive (stop an event, such as a lock or vestibule), detective (reveal an event, such as cameras or logs), and deterrent (discourage an event, such as signage or visible guards). A single control can span categories — a security guard prevents, detects, and deters.
A security team wants high-signal alerts when an internal attacker scans for file servers. Which control best fits?
Which controls help protect a network closet? Select three.
Select all that apply
What is the main difference between a honeypot and a honeynet?