The concept of a honeynet was first introduced in 1999 by the Honeynet Project. At that time honeynets were difficult to deploy and maintain, and they required a lot of human interaction and work. These early honeynets were know as Generation One (GEN I) honeynets.
Over time, the technology developed with features and tools being added, most notably the ability to analyse encrypted traffic. These honeynets were called Gen II honeynets. As Gen I honeynets were limited to layer 3 router gateways and primitive packet inspection, Gen II honeynets had optional layer 2 bridging and intrusion prevention technology.
A bootable CD honeynet soon followed (Gen III) greatly simplifying honeynet technology. It contains the core Gen II functionality, but also has added features like GUI administration, data analysis integration, automated updating and much more. The GUI gives you the ability to maintain the honeywall as well as to track and analyse all the network and honey-pot activity. However, as the nature and sophistication of threats change with every new technology and application, the honeynets must evolve to remain effective. A major step forward in this development is the emergence of the honey-mole.
Deploying traditional honey-pots and honeynets can be time-consuming and labour intensive. Unfortunately, many organisations and individuals alike have often opted out and shied away from the technology, due to the sheer volume of work and analysis involved. In recent months the Portuguese Honeynet Project have developed a novel and simplistic way to maximise the value that can be taken from a single honeynet deployed anywhere in the world.
The concept of a honey-pot farm has been around for some time, but it is only since the development of a new tool called honey-mole that honey-farms have become an effective tool for collecting and analysing data from multiple locations around the world. A honey-farm is nothing more then a collection of honey-pots located in a single location. Re-directors are then placed anywhere you want in the world. The redirectors are nothing more than ‘virtual honey-pots’ with the sole purpose of redirecting traffic to the central honey-pot farm.
On the farm
An attacker may think that they are interacting with a system (your virtual honey-pot) in Portugal, the United States or Ireland, yet in reality all of their activity is being redirected to a single collection of honey-pots, the ‘Farm’. Ultimately, these redirectors make it very easy to virtually deploy lots of honey-pots all over the place, with the added benefit of only having to maintain a small number of real honey-pots in a single location. A participant network no longer needs to configure and maintain a honey-pot. All they need is a simple re-director, configured to offload the traffic to some central location, anywhere on the Internet. This is the primary function of the honey-mole.
Mole goal
The main goal of a honey-mole is to act as a completely secure Ethernet bridge over TCP/IP, tunnelling in a transparent, safe and easy way, network traffic to a remote location. Honey-mole is based on libpcap, libnet and openssl. It does not require kernel patches or modules and should work on any Unix based operating system. In time, it is expected that a Windows port will be made available. The secure tunnels are built using SSL for encryption and RSA certificates for authentication, ensuring data privacy.
There are however, disadvantages too. See the inset panel ‘Honey-pot farms for and against’ for details.
Simplification
The bottom line is that a honey-mole simplifies the task of deploying honey-pot farms of distributed honey-pots, transporting network traffic to a central honey-pot architecture where data collection and analysis will be done. Ultimately, the more data collected, the more data to be analysed, the more lessons learnt.
Honey-mole can be downloaded from Portuguese Honeynet Project’s web site. Detailed network diagrams are also available. http://www.honeynet-pt.org/index.php/Honeymole
Honey-pot farms for and against
Advantages
– Honeynets can be deployed within a very short space of time
– Forensic analysis can be done faster
– Honey-pot farms can be used to protect production servers (hot-zoning)
– Participant networks don’t need to configure or monitor the honeypots
Disadvantages of Honey-pot Farms
– Geographically unrelated positions cause anomalies in network latency
– Honey-pot farms use routing rather than bridging, so they are complex to configure and require good network knowledge to operate properly
– This technology is fairly new, there are no tools to help automate the configuration and operation of the infrastructures
The Irish Honeynet is in operation since April 2002. It was set up by Espion and is currently used as a research ground by Dublin City University. It is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.
For more information please send an e-mail to honeynet@espion.ie
Subscribers 0
Fans 0
Followers 0
Followers