Know Your Enemy:
Defining Virtual Honeynets

Different types of Virtual Honeynets.

Honeynet Project
Last Modified: 27 January, 2003

Over the past several years Honeynets have demonstrated their value as a security mechanism, primarily to learn about the tools, tactics, and motives of the blackhat community. This information is critical for organizations to better understand and protect against the threats they face. One of the problems with Honeynets is they are resource intensive, difficult to build, and complex to maintain. Honeynets require a variety of both physical systems and security mechanisms to effectively deploy. However, the Honeynet Project has been researching a new possibility, virtual Honeynets. These systems share many of the values of traditional Honeynets, but have the advantages of running all the systems on a single system. This makes virtual Honeynets cheaper to build, easier to deploy, and simpler to maintain.

What is a Honeynet
Honeynets are one type of honeypot. A honeypot is a resource who's value is in being probed, attacked or compromised. A Honeynet is a high-interaction honeypot, meaning it provides real operating systems for attackers to interact with. This high interaction can teach us a great deal about intruders, everything from how they break into systems to how they communicate and why they attack systems. Honeynets accomplish this by building a network of systems. This network is highly contained, where all inbound and outbound traffic is both controlled and captured. Each system within the network is really a honeypot, a system designed to be attacked. However, these honeypots are fully functional systems, the same found in most organizations today. When these systems are attacked, Honeynets capture all of the attacker's activity. This information then teachs a great deal about the threats we face to day. For the technical details on Honeynets, you are encouraged to review Know Your Enemy: Honeynets. This paper describes different ways of building Virtual Honeynets. This is not meant to be a HOWTO on building Virtual Honeynets. Detailed HOWTO's will follow. From this point on, it is assumed you have a understanding of Honeynet technologies and their requirements, specifically Data Control and Data Capture.

Virtual Honeynets
So, what is a Virtual Honeynet? Its a solution that allows you to run everything you need on a single computer. We use the term virtual because it all the different operating systems have the 'appearance' to be running on their own, independent computer. These solutions are possible because of virtualization software that allows running multiple operating systems at the same time, on the same hardware. Virtual Honeynets are not a radically new technology, they simply take the concept of Honeynet technologies, and implement them into a single system. This implementation has its unique advantages and disadvantages over traditional Honeynets.

The advantages are reduced cost and easier management, as everything is combined on a single system. Instead of taking 8 computers to deploy a full Honeynet, you can do it with only one. However, this simplicity comes at a cost. First, you are limited to what types of operating system you can deploy by the hardware and virtualization software. For example, most Virtual Honeynets are based on the Intel X86 chip, so you are limited to operating systems based on that architecture. You most likely cannot deploy an Alteon switch, VAX, or Cray computer within a virtual Honeynet. Second, virtual Honeynets come with a risk. Specifically, an attacker may be able to compromise the virtualization software and take over the entire Honeynet, giving them control over all the systems. Last, there is the risk of fingerprinting. Once the badguys have hacked the systems within your virtual Honeynet, they may be able to determine the systems are running in a virtual environment.

We have broken Virtual Honeynets into two categories, Self-Contained and Hybrid. Of the two, Self-Contained are the more common. We will first define these two different types, and then cover the different ways virtual Honeynets can be deployed.

Self-Contained Virtual Honeynet
A Self-Contained Virtual Honeynet is an entire Honeynet network condensed onto a single computer. The entire network is virtually contained on a single, physical, system. A Honeynet network typically consists of a firewall gateway for Data Control and Data Capture, and the honeypots within the Honeynet. You can see a Diagram of such a deployment here. Some advantages of this type of virtual Honeynet(s) are:

There are some disadvantages:

Hybrid Virtual Honeynet
A Hybrid Virtual Honeynet is a combination of the Classic Honeynet and Virtualization software. Data Capture, such as firewalls, and Data Control, such as IDS sensors and logging, are on a seperate, isolated system. This isolation reduces the risk of compromise. However, all the honeypots are virtually run on a single box. You can see a diagram of such a deployment here. The advantages to this setup are:

Some disadvantages are:

Possible Solutions
Now that we have defined the two general categories of virtual Honeynets, let's highlight some of the possible ways to implement a virtual Honeynet. Here we outline three different technologies will that allow you to deploy your own. Undoubtedly there are other options, such as Bochs, however the Honeynet Project has used and tested all three methods. No solution is better then the other. Instead, they each have their own unique advantages and disadvantages, its up to you to decide which solution works best. The three options we will now cover are VMware Workstation, VMware GSX Server, and User Mode Linux.

VMware Workstation
VMware Workstation is a long used and established Virtualization option. Its designed for the desktop user and is available for Linux and Windows platforms. Advantages to using VMware Workstation as a Virtual Honeynet are:

Some disadvantages are:

VMware products also have some nice features, like the ability to suspend a Virtual Machine. You are able to pause the VM, and when you take it out of suspension, all the processes go on like nothing happened. Once a system was compromised and the intruder started an ICMP fragment attack. The intruder was also logged into IRC servers. We did not want to cut the connection because we would lose valuable information. So we suspended the VM, adjusted the firewall to block the attack, then brought the VM back up. An interesting use of VMware, and other virtualization software too, is the ease and speed of bringing up VM's. Once a honeynet is compromised, and we learned as much as we can from it, we want to start over. With a Virtual Honeynet, all we have to do is copy files or use the undoable disk or nonpersisten disk feature in VNware Workstation to discard any changes made. Another feature of Vmware Workstation is the ability to run several networks behind the HostOS. So if you only have 1 box, you can have your honeynet and personal computers all on the one box without worrying about data pollution on either side. If you would like to learn more about VMware and its capabilities for honeypot tecnology, check out Kurt Seifiried's excellent paper Honeypotting with VMware - The Basics. Also, Monitoring VMware Honeypots by Ryan Barnett.

VMware GSX Server
The VMware GSX Server is a heavy-duty version of VMware Workstation. It is meant for running many higher end servers. As we will see, this is perfect for use as a Honeynet. GSX Server currently runs on Linux and Windows as a Host OS. If you would like to learn more about deploying Virtual Honeynets on GSX, check out the paper Know Your Enemy: Learning with VMware. Advantages:

Some disadvantages are: VMware also makes an VMware ESX Server server. Instead of being just a software solution, ESX Server runs in hardware of the interface. ESX Server provides its own virtual machine OS monitor that takes over the host hardware. This allows more granular control of resources allocated to virtual machines, such as CPU shares, network bandwidth shares and disk bandwidth shares and it allows those resources to be changed dynamically. This product is even higher end then GSX Server. Some of its features are: It can support multiple processors, more concurrent virtual mahcines (up to 64 VMs), more host memory (up to 64GB) and more memory per virtual machine (up to 3.6GB) than GSX Server.

User Mode Linux
User Mode linux is a special kernel module that allows you to run many virtual versions of linux at the same time. Developed by Jeff Dike, UML gives you the ability to have multiple instances of Linux, running on the same system at the same time. It is a relatively new tool with great amounts of potential. You can learn in detail how to deploy your own UML Honeynet in the paper Know Your Enemy: Learning with User-Mode Linux. Some advantages to using User Mode Linux are:

Some disadvantages are:


The purpose of this paper was to define what a Virtual Honeynet is, the different types, and options for deploying them. Virtual Honeynet take the technology of a Honeynet and combine them on a single system. This makes them cheaper to build, easier to deploy, and simpler to maintain. However, they also share common disadvantages, including a single point of failure and limitation with both the physical hardware and virtual software. Its up to you to decide which solution is best for your environment. In the future, we intend to develop documentation detailing how to deploy these technologies.

The Honeynet Project