Know Your Enemy: Building Virtual Honeynets
by Honeynet Project
|Know Your Enemy: Building Virtual Honeynets
by The Honeynet Project
last updated August 20, 2002
This article has been contributed to SecurityFocus by the Honeynet Project. For more information on honeypots and honeynets, please visit the Honeynet Project at http://www.honeynet.org.
Over the past several years, honeynets have demonstrated their value as a security mechanism, primarily to learn about the tools, tactics, and motives of the blackhat community. This information is critical for organizations to better understand and protect against the threats they face. Among the problems with honeynets is that they are resource intensive, difficult to build, and complex to maintain. Honeynets require a variety of both physical systems and security mechanisms to be effectively deployed. However, the Honeynet Project has been researching a new possibility, virtual honeynets. These systems share many of the values of traditional honeynets, but have the advantages of running all the systems on a single system. This makes virtual honeynets cheaper to build, easier to deploy, and simpler to maintain.
What is a Honeynet?
Honeynets are one type of honeypot. A honeypot is a resource who's value is in being probed, attacked or compromised. A honeynet is a high-interaction honeypot, meaning it provides real operating systems for attackers to interact with. This high interaction can teach us a great deal about intruders, everything from how they break into systems to how they communicate and why they attack systems. Honeynets accomplish this by building a network of systems. This network is highly contained, where all inbound and outbound traffic is both controlled and captured. Each system within the network is really a honeypot, a system designed to be attacked. However, these honeypots are fully functional systems, the same found in most organizations today. When these systems are attacked, honeynets capture all of the attacker's activity. This information then teachs a great deal about the threats we face today.
For the technical details on honeynets, you are encouraged to review Know Your Enemy: Honeynets. This paper describes different ways of building virtual honeynets. This is not meant to be a how-to on building virtual honeynets. Detailed how-tos will follow. From this point on, it is assumed you have a understanding of honeynet technologies and their requirements, specifically data control and data capture.
Virtual honeynets take the concept of Honeynet technologies, and implement them into a single system. This article will describe several different ways of building virtual honeynets. This is not meant to be a how-to on building virtual honeynets, such articles will be published at a later date. From this point on, it is assumed that the reader has a understanding of honeynet technologies and their requirements, specifically data control and data capture.
Virtual Honeynets take the concept of honeynet technologies, and implement them into a single system. Virtual honeynets are not a new concept, instead they take the existing concept of Honeynets and implement them in a different fasion. This implementation has its unique advantages and disadvantages over traditional honeynets. The advantages are reduced cost and easier management, as everything is combined on a single system. However, this simplicity comes at a cost. First, you are limited to what types of operating system you can deploy by the hardware and virtualization software. Second, virtual honeynets come with a risk, specifically that an attacker can break out of the virtualization software and take over the Honeynet system, bypassing data control and data capture mechanisms.
There are two types of virtual honeynet: self-contained and hybrid. We will first define these two different types, and then cover the different ways that virtual honeynets can be deployed.
Self-Contained Virtual Honeynet
A self-contained virtual honeynet is an entire honeynet network condensed onto a single computer. The entire network is virtually contained on a single, physical, system. A honeynet network typically consists of a firewall gateway for data control and data capture, and the honeypots within the honeynet. You can see a diagram of such a deployment here. Some advantages of this type of virtual honeynet(s) are:
Virtual honeynets also have several disadvantages, such as:
Hybrid Virtual Honeynets
A hybrid virtual honeynet is a combination of the classic honeynet and virtualization software. Data capture, such as firewalls, and data control, such as IDS sensors and logging, are on a seperate, isolated system. This isolation reduces the risk of compromise. However, all the honeypots are virtually run on a single box. You can see a diagram of such a deployment here. Some advantages to this setup are:
Among the disadvantages of self-contained virtual honeypots is that they are:
Hybrid virtual honeynets can allow you to leverage the flexibility of classic honeynets and let you increase the amount of honeypots by using virtualization software. Now that we have defined the two general categories of virtual honeynets, let's highlight some of the possible ways to implement a virtual honeynet. Here we outline three different technologies will that allow you to deploy your own. Undoubtedly there are other options, such as Bochs; however, the Honeynet Project has used and tested all three methods. No one solution is better then the other. Instead, they each have their own unique advantages and disadvantages, it is up to you to decide which solution works best. The three options we will now cover are VMware Workstation, VMware GSX Server, and User Mode Linux.
VMware Workstation VMware Workstation is made for the more casual user. It is a long-used and well-established virtualization option that is available for Linux and Windows platforms. Some advantages to using VMware Workstation as a virtual honeynet include:
Some disadvantages of VMware Workstation include:
You can learn more about deploying a self-contained virtual honeynet using VMware Workstation at http://online.securityfocus.com/infocus/1506.
VMware products also have some nice features, like the ability to suspend a virtual machine. You are able to pause the VM, and when you take it out of suspension, all the processes go on like nothing happened. In our research, a system was once compromised and the intruder started an ICMP fragment attack. The intruder was also logged into IRC servers. We did not want to cut the connection because we would lose valuable information. So we suspended the VM, adjusted the firewall to block the attack, then brought the VM back up.
An interesting use of VMware, and other virtualization software too, is the ease and speed of bringing up VMs. Once a honeynet is compromised, and we have learned as much as we can from it, we want to start over. With a virtual honeynet, all we have to do is copy files or use the undoable disk or nonpersistent disk feature in VMware Workstation to discard any changes made. Another feature of VMware Workstation is the ability to run several networks behind the HostOS. So if you only have one box, you can have your honeynet and personal computers all on the same box without worrying about data pollution on either side.
If you would like to learn more about VMware and its capabilities for honeypot technology, check out Kurt Seifiried's excellent paper Honeypotting with VMware - The Basics.
VMware GSX Server
The VMware GSX Server is a heavy-duty version of VMware Workstation. It is meant for running many higher-end servers. As we will see, this is perfect for use as a honeynet. GSX runs on Linux and Windows, advantages include:
Some disadvantages of VMware GSX Server include:
VMware also makes an VMware ESX server. Instead of being just a software solution, ESX Server runs in hardware of the interface. ESX Server provides its own virtual machine OS monitor that takes over the host hardware. This allows more granular control of resources allocated to virtual machines, such as CPU shares, network bandwidth shares and disk bandwidth shares, and it allows those resources to be changed dynamically. This product is even higher end then GSX Server. Some of its features are: it can support multiple processors, more concurrent virtual mahcines (up to 64 VMs), more host memory (up to 64GB) and more memory per virtual machine (up to 3.6GB) than GSX Server.
User Mode Linux
User Mode Linux is a special kernel module that allows you to run many virtual versions of linux at the same time. Developed by Jeff Dike, UML gives you the ability to have multiple instances of Linux, running on the same system at the same time. It is a relatively new tool with great amounts of potential. Some advantages to using User Mode Linux are:
Some disadvantages are:
The purpose of this paper was to define what a virtual honeynet is, the different types, and options for deploying them. Virtual honeynets take the technology of a honeynet and combine them on a single system. This makes them cheaper to build, easier to deploy, and simpler to maintain. However, they also share common disadvantages, including a single point of failure and limitation with both the physical hardware and virtual software. It is up to you to decide which solution is best for your environment. In the future, we intend to develop documentation detailing how to deploy these technologies.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.