Why virtual honeypots are sweet

A honeypot is simply a “closely monitored computing resource that we want to be probed, attacked or compromised,” Niels Provos and Thorsten Holz tell us in their new book, Virtual Honeypots.

Honeypots can capture information about illicit use, attacks and possibly detect vulnerabilities not well understood. The latest models of them, virtual honeypots, are simply those that run in virtualized environments, such as VMware.

In an interview with Network World Senior Editor Ellen Messmer, Provos (a senior staff engineer at Google who’s credited with developing the open-source honeypot Honeyd) and Holz (founder of the German Honeynet Project and graduate student at the University of Mannheim’s Laboratory for Dependable Distributed Systems) discuss the latest in tools for building virtual honeypots.

So what’s a virtual honeypot?

Provos: Honeypot technology can be used for botnet-tracking or malicious code collection, among other things, and the difference with a virtual honeypot is the convenience in remotely administering it. From the network point of view, the virtual honeypot looks exactly like a physical machine. You can have a low-interaction honeypot, which usually only exposes select network services, or a high-interaction honeypot using a complete operating system virtualized in the network layer.

Holz: You can use a honeypot to protect the clients in your network or detect an insider threat.

Do you need special tools for virtual honeypots?

Holz: You can use available tools and they run in the guest operating system.

In your book, you discuss some of the latest honeypot tools. For instance, you mention client honeypots, particularly the HoneyClient virtual machine tool developed by engineer Kathy Wang to detect attacks on Windows clients.

Holz: You’ll find a lot on that at www.honeyclient.org and it’s a Mitre project.

Other tools are Capture, Nepenthes and Honeyd. Nepenthes is a tool for emulation of vulnerabilities in network services that’s used in the German Honeynet Project and we’re working closely with the University of Aachen on this. At Aachen, we run it for protection. It’s a building block for security. Some ISPs use our tools to detect signs of infected users.

The book also mentions Argos, developed at the Vrije Universiteit Amsterdam in the Netherlands. What’s Argos?

Provos: With Argos, you can detect a new attack without a signature. The Argos people did information-flow tracking or ‘tainting’ to figure out if any information sent to the honeypot ends up influencing it inside.

And what’s this tool called Billy Goat?

Holz: The basic idea is to simulate the vulnerable network services. Billy Goat is closed source, developed by IBM, and deployed at IBM.

And what about two other tools you mention, Collapsar and the Potemkin Virtual Honeyfarm?

Provos: With Collapsar, from Purdue, the idea is being able to deploy nodes all over the Internet but the analysis is centralized. The Potemkin Virtual Honeyfarm, developed by researchers at the University of California, offers a lot of addresses on a network and provides high-profile addresses for all of them. It’s a lightweight system of honeypots, of cloned honeypots. I don’t believe it’s open source at this point.