Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Books Media Book Reviews IT

Virtual Honeypots 50

rsiles writes "Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots. Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens." Read below for the rest of Raul's review.
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
author Niels Provos and Thorsten Holz
pages 440
publisher Addison-Wesley Professional
rating THE current reference about honeynet technologies and solutions.
reviewer Raul Siles
ISBN 0321336321
summary improve your capabilities with easy to deploy virtual honeypot solutions
The detection of honeypots has always been one of the main concerns in the honeynet community, because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light tips and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.

The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypot types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.

The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.

From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developers/architects for honeyd (chapter 4 and 5) and nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about, and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).

The book includes some extra material covering academic and research hybrid solutions still in their early stages, which can give you and idea of where these technologies are evolving to and the major challenges we are facing now. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.

Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.

Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.

If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time.

I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.

You can purchase Virtual Honeypots: From Botnet Tracking to Intrusion Detection from Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Virtual Honeypots

Comments Filter:
  • by Anonymous Coward on Wednesday July 30, 2008 @03:13PM (#24406833)

    Useful honeypots are patched to the level of the rest of your computers/servers on your network. Then you simply watch traffic running to (and from) them, because by default, they should have no traffic. (minus the broadcasts and regular auto discovery packets) You know that any traffic to and from this box is suspicious on the grounds that it is not actually used for anything.

    Honeypots are NOT unpatched boxes completely exposed to the internet for all to attack. Unless you are into malware/virus research. Even then, patching allows you to keep up with the latest threats. If your patched box got owned, you need to look at it =)

  • O.o (Score:3, Informative)

    by SatanicPuppy ( 611928 ) * <> on Wednesday July 30, 2008 @04:07PM (#24407619) Journal

    I don't think that "Honeypot" means what you think it means. Having a honeypot on a "real" server would be like having a live chemical weapons training course in your house.

    The whole point is study, and possibly early warning. I've got a "honeypot" (I'd call it a "canary") set up on my corporate DMZ which is made to look roughly like one of my second tier financial machines; it's only there to scream bloody murder if someone tries to log into it.

    If someone does log into it, they'll know immediately it's a decoy, because the only thing running on it is a process which listens and responds on a few select ports to make it look like real stuff is running on the machine.

    That's about the sum total usefulness of a honeypot for anyone who is interested in anything besides watching the methods to pwn machines evolve. It has nothing to do with exposing actual useful information to anyone.

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.