Honeynet Project: What a Honeynet Is
The concept of honeypots has been around for years. Simply put, honeypots are systems designed to be compromised by an attacker. Once compromised, they can be used for a variety of purposes, such as an alerting mechanism or deception. Honeypots were first discussed in a couple of very good papers by several computer security icons: Cliff Stoll's Cuckoo's Egg 1 , and Steve Bellovin and Bill Cheswick's "An Evening with Berferd." 2 Both instances used jail-type technology to capture an intruder's sessions and to monitor in detail what the intruder was up to. The term honeypot came later, but the same intent applies: setting up one or more systems that seem attractive to network intruders but are also capable of monitoring to a fine degree what is going on. By monitoring activity through a honeypot, you can identify the problem and be reasonably sure that you know how the intruder(s) got in and what they are doing on the compromised system. Traditionally, a honeypot has been a single system connected to an existing production network in order to lure attackers. Figure 2-1 shows a single physical system placed in an internal network. This single system can then emulate various systems or vulnerabilities.
Figure 2-1 A traditional stand-alone honeypot
A variety of products or solutions allow you to create your own honeypot. Such options include:
Fred Cohen's Deception Toolkit ( http://www.all.net/dtk/index.html)
Cybercop Sting ( http://www.pgp.com/products/cybercop-sting/default.asp)
Recourse Mantrap ( http://www.recourse.com/products/mantrap/trap.html)
Each of these applications has its own interpretation of what a honeypot is and how it should be used.
For example, the Deception Toolkit, commonly called DTK, is a collection of scripts that emulate various known vulnerabilities. One such simulated vulnerability in DTK is an old Sendmail vulnerability that hands out a fake password file. These scripts are then run on a host system. The attacker gets suckered into taking this fake password file and spending valuable time cracking passwords that are not real. The purpose of the toolkit is deception. This toolkit is also excellent for alerting and learning about known vulnerabilities.
Although such an approach is useful, keep in mind that one of the main goals of the Honeynet Project is to learn about unknown vulnerabilities. With the Deception Toolkit, you are limited to learning about what is already known.
Cybercop Sting is a honeypot that runs on NT emulating an entire network by replicating the IP (Internet Protocol) stacks of various operating systems. A blackhat could scan an entire network and find 15 systems available, each with a different IP address. However, all 15 virtual systems are contained within the one physical honeypot machine. Both the systems and the IP stacks are emulated. The advantage here is that you can quickly and easily replicate an entire network, allowing you to track trends. However, the problem is that you can emulate only limited functionality, such as a TELNET login or an SMTP (Simple Mail Transfer Protocol) banner. The blackhat community has no real operating system to access and interact with beyond that facade.
We wanted to learn everything possible, such as what happens once a system is compromised. We wanted the keystrokes and the system logs of a compromised system. In other words, we wanted our attackers to be able to fully exploit and take over their targets so we could zoom in afterward and learn as much as possible. Given their limited emulation capabilities, products like Cybercop Sting cannot provide that information.
Recourse Mantrap, a commercial product that comes close to the functionality of a Honeynet, does not replicate an operating system but instead runs an image of an operating system within another one. This so-called "jail" has a great advantage in that a real operating system is running. Unknown vulnerabilities can be learned, and the blackhat has a complete OS (operating system) to interact with once the system is compromised. However, you are limited to operating systems that the vendor can provide. For example, you may want to use HPUX or perhaps a network device, such as an Alteon switch. Also, you, the user, still must solve the problem of how to contain the blackhat once the system is compromised. The Recourse Mantrap does not have the capability to limit blackhat activity. An attacker could use the compromised honeypot as a jumping-off point to attack additional systems. The product has excellent data-capture functionality but lacks the ability for detailed data control.
Most of these solutions share the problem of detectable signatures. It may be possible to identify these products based on signatures they leave, allowing moderate or advanced blackhats to realize the deception and move on to safer targets. All these solutions have excellent potential but only for specific requirements. None of them met all our requirements for the Honeynet Project. We wanted a flexible environment in which nothing was emulated, the systems were the same as those found on the Internet, and we could capture the activity of blackhats from beginning to end. Additionally, we did not want to endanger any other systems on the Internet, so we needed a solution that couldn't be used as a jumping-off point for an attack. We devised our own solution to meet all these requirements.