1 April 2005 | 0
The Honeynet Project has recently announced the release of a new second generation Honeynet Gateway, or ‘Honeywall’. This new release is a bootable CD running a slimmed down, hardened version of the Linux operating system. It is simple to use and easy to
configure. The CD loads and configures all of the tools needed to monitor a hacker attempting to break into a network of honeypots.
Older versions of the software released by the Honeynet Project were designed to run on the host that organisations wanted the hackers to attack. Now, using the Honeywall CD, the software is deployed as a gateway to the target system or a target network of
‘Honeypots’. All traffic destined to the honeynet network must pass through the Honeywall and as such it is now relatively simple to monitor and understand even the most complex attacks.
What previously was a laborious and complicated task has now been greatly simplified and we would encourage anyone interested in honeynet technologies to download a copy of the Honeywall gateway and get started. An ISO image can be downloaded from www.honeynet.org/tools/cdrom. The new design brings with it many advantages. Previous to this latest release it was necessary to download, compile, install and configure each individual piece of software that makes up a Honeynet–not a simple task by anyone’s standards.
Running multiple complex tools simultaneously generally requires long periods of testing in order to guarantee an error-free operating environment, never mind smooth performance.
The Honeywall CD alleviates these configuration concerns by preloading all of the required software, thus allowing for a faster and easier deployment and for simpler management through a graphical user interface. It is also possible to load a previous Honeywall
configuration by loading variables from a floppy disk.
For more advanced users, the Honeywall CD also provides users the ability to customise the configuration environment so it is possible to pre-configure your Honeywall CD Image prior to creating the actual CD. This customisation allows an organisation to create a Honeywall that exactly fits their specific needs. As with previous versions, it is possible to limit the amount of outgoing connections made from or to a Honeypot using its in-built firewall and intrusion prevention system. This ensures that a compromised honeypot cannot be used as a launch pad to carry out further
attacks against a third party.
A simple but highly effective graphical interface is now used to analyse attacks against a honeypot and can also be used to configure alerts that notify an administrator to an impending attack. The Honeywall is now more difficult than ever to detect as a trace route to the target system will not reveal the presence of the Honeywall. It can provide a close up view of what threats lie on your network and what is trying to get into your network.
What’s more, it’s free! The versatility of deployment scenarios for the Honeywall is owed to its rich feature set. It is designed to protect an external system from attack while allowing and monitoring incoming attacks on the internal Honeypots.
The first public release of the Honeywall CD-ROM, Eeyore, is meant to provide the tools necessary to quickly configure and deploy a second generation honeynet. Members of the Honeynet Project and Honeynet Research Alliance are actively working on the Honeywall
CD-ROM and have several enhancements planned for the next release including:
New user interface: The current interface, created using the dialog utility, is limited. A new menu system based on cursors is under development.
Secure kernel: The aim is to add more advanced security to the kernel using SELinux. A strict set of policies will be used to help mitigate any risk of a compromised Honeywall gateway.
Data analysis: New GUI based tools will be developed to make analysing the data the Honeywall CD-ROM collects much easier to evaluate. We also plan to implement automated reporting tools such as daily and weekly reports of the activity the honeynet has
* Distributed capabilities: The current Honeywall CDROM is designed to create a standalone system. We are looking into distributed features that will make it easier to manage systems created using the CDROM and to centralise data from multiple deployments.
Over the coming months, the Irish Honeynet Project plan to rollout several honeynets of different types and in various locations across Ireland. The Irish Honeynet, set up by Espion, Deloitte and Data Electronics, operational since April 2002, is designed to mimic
the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it
arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.