Understanding Virtual Honeynets
Who is the enemy?
How do you know who you enemy is? In many organizations today the common misconception is that you must protect the internal network form the external intruders that are attempting intrusion from the internet. Intruders are not only on the internet but can also be working for the organization per say. Not realizing this vital fact can cause the organization to loose critical data. If a user uses a simple ping to plot the path to a server and if the user doesn't have permissions for this server then this action can be considered an intrusion attempt. Many people will argue that this stance is over paranoid; on a multitude of occasions intruders have been identified while using typical TCP/IP troubleshooting utilities to facilitate their attempt to plot the path to the network. Some intruders use this as vantage points clarifying what machines are attached to the network and how the routing is being done. The other reason for this plotting is so that each platted point can be fingerprinted in order to identify what type of operating system is running on that machine and in this way vulnerabilities can be identified and leveraged off. It can not be stressed enough that intruders can be both internal and external and that setting traps for external intruders will only flaw your intruder detection strategy. Honeynets provide organizations with a way of having a better understanding of the typical intruders and attempts made on your system. This type of information identifies the intruder and paints a profile of the intruder's methods and tactics that they might be using. Knowing who the intruder is may help you to set criteria counters that funnel these potential attacks to a dead end network. This is very important and is an integral part of designing your network with security in mind.
Honeypots/Honeynets may consume resources at a rate of note and tie up usable equipment but for large organizations that are serious about security this should be a non issue. The other challenge is the maintenance and complexity of the system. I would recommend a very useful tool called VMware as it will save on hardware costs. The resource intensiveness causes many organizations to lose focus and undervalue the usefulness of a well built and maintained honeynet. This factor can even influence the necessity of a honeynet. Creating a virtual honeynet entails loading multiple software's on hardware systems using virtual machine software like VMware. This methodology allows the construction of a fully fledged multi-service system. The cost advantages of running multiple operating systems and services on one machine are great and you are able to create a DMZ network on only on machine. A hardware based honeynet is pretty much a software based honey net portioned over multiple hardware systems. This methodology increases the cost of the honeynet project considerably and is the main factor that throws many organizations off the honeynet path. Simplicity is the highest value in any regard and should be looked upon as a favorable reason when deciding the deployment of a honeynet. For this reason it is clear why virtual honeynets triumph over hardware based honeynets. Knowing that a honeynet can be built on a single system and that has average software and hardware capabilities opens countless doors in the security environment. Many security professionals have long awaited this now maturing technology.
A Virtual Honeynet can combine multiple operating systems onto a single system. The value of this technology becomes evident when security administrators find it efficient and cost affective to deploy multiple operating system instances aggregating into an entire network to simulate an enterprise environment with incising data. This honeynet then starts to attract the intruders by the droves, and bear in mind this is meant to happen.
Before we can know what a honynet net is we need to know what a honeypot is. A honet pot is an isolated network that has been designed with the intent of capturing intruders and logging intruder's movements within the attacked isolated network. All traffic entering and leaving the honeypot is logged. A honeypot is one system in the isolated network a honeynet is many honeypots comprising a network. A Virtual Honeynet is one machine running multiple instances of an operating system providing different services to simulate a full network. Security administrators now have a use for obsolete hardware.
The diagram depicts a single honeypot system on the left and a virtual honeynet system on the right.
The diagram above depicts a honeynet and honeypot positioning.
What are virtual honeynets?
A virtual honeynet is a system that makes it possible for the security pprofessional to run all the services a typical network would run on a single computer system using a technology like virtual machines or java operations. An application package like VMware is used to construct a virtual honeynet, this system comprises of a machine running a base operating system running VMware and then multiple operating systems installed within the VMware environment to emulate an entire network on one machine. The creation of multiple machines on one computer system allows for the intruder to feel that he has stumbled upon an unprotected network on the internet. This configuration should have verbose logging enabled on it to allow you to decipher what the intruder is attempting as a form of attack.
Virtual honeynet advantages
- Facilitates easier central management.
- Consolidated Honeynet system.
- Low cost as only one machine is requires.
Virtual honeynet disadvantages
- Operating sysem limitation in accordance with virtual machine software capabilities.
- Limited platforms, most virtual machines only supports X86 platforms.
- Centrality, if the intrude knows that the system is a honeynet he will be able to dismantle the whole system with one blow.
Designing a Virtual Honeynet
A virtual honeynet can consist of an entire Honeyneted network consolidated onto a single computer system. This means that your gateway, firewall, mail server, web server, DNS, and miscellaneous services will run on one machine emulating an entire organizations LAN environment. The honeynet can be designed to be portable, portable Virtual Honeynets are honeynets that have been installed on a portable machine such as a notebook and can easily be transported to any location. There are many advantages to this as it comes at a reasonable cost and save a large about of space when comparing this system to traditional honeynets. The disadvantages are that there is a single point of Failure but this can be countered by clustering two machines running identical configs and by thinking out a comprehensive fail over strategy and that virtual machine software is somewhat expensive and limited to platform specific environments.
To design such a system as a virtual honeynet we need to become accustomed with technologies like VMware Workstation, VMware GSX Server, and User Mode Linux.
This system is designed desktop environments and supports both windows and Linux platforms. It is easy to use and simplifies Honeynets on desktop type machines. The limitations are that only a maximum of four machines can be run using VMware workstation version. Fingerprinting has become an issue and seems to make life easier for intruders when knocking a virtual honeynet using virtual software. Software configuration can be altered within VMware to counter fingerprinting this is outside the scope of this document. The whole idea of a honeynet is not secure it but to make it attractive so that intruders attack it. This then becomes a spring board allowing the security professional to educate themselves about tactics used by intruders.
VMware GSX Server
VMware GSX Server is a industrial version of VMware and allows many more virtual machines to run on one computer system. It is also the preferred system to use for honeynets and currently many large corporations run it as their honeynet solution. It provides a higher level of cross platform support to more operating systems than VMware workstation, including 95, 98, NT, 2000, XP and .NET server and various Linux flavors. This version also has no X windows overhead and can be managed through a web interface with the capability of stopping and starting respective operating systems remotely. Remote control is also a feature of this software. This all comes at a cost but this should not deter the organization as it is a necessary technology ensuring security of your LAN.
User Mode Linux
User Mode Linux can be defined as a kernel module that enables the running of many virtual versions of Linux at the same time. In essence a user can have many versions of Linux running on the same computer system simultaneously. This system user a very low amount of resource as it has a very small footprint and does not use x windows like VMware. All keystroke are logged in the normal Linux way. No commercial support. Remote terminal access is possible but has no GUI support for installation and config. A little buggy at times but none the less costs very little to get up and running.
Comparatively speaking VMware leads in this arena when it comes to virtual machines. However with the open source of code such as the one found in the Linux platforms there is a rapid move towards making use of the lower cost software to replace costly mainstream environments. R&D should be a big part of Honeynetting and before implementing a honeynet in any environment it should be thoroughly tested in a lab environment on different technologies.
This white paper serves as a reference and purposely highlights the definitions of virtual Honeynets with the intention enabling the reader. Many organizations allude to the fact that it may not be necessary to know what your typical intruders are doing. Using this approach is equivalent to pushing a blind person into a shark tank. It is of paramount importance to know the different types of honeynets and to understand the best method to deploy them customized to the respective organizations needs. Knowing the difference between virtual Honeynets and traditional honeynets allows a swift decision to be made about using honeynet as it becomes apparent that the capital and resource require to build a state of the art Virtual honeynet is very affordable to most organizations.