A honeypot is simply a "closely monitored computing resource that we want to be probed, attacked or compromised," Niels Provos and Thorsten Holz tell us in their new book, Virtual Honeypots.
Honeypots can capture information about illicit use, attacks and possibly detect vulnerabilities not well understood. The latest models of them, virtual honeypots, are simply those that run in virtualised environments, such as VMware.
Provos (a senior staff engineer at Google who is credited with developing the open-source honeypot Honeyd) and Holz (founder of the German Honeynet Project and graduate student at the University of Mannheim's Laboratory for Dependable Distributed Systems) discuss the latest in tools for building virtual honeypots.
So what's a virtual honeypot?
Provos: Honeypot technology can be used for botnet-tracking or malicious code collection, among other things, and the difference with a virtual honeypot is the convenience in remotely administering it. From the network point of view, the virtual honeypot looks exactly like a physical machine. You can have a low-interaction honeypot, which usually only exposes select network services, or a high-interaction honeypot using a complete operating system virtualised in the network layer.
Holz: You can use a honeypot to protect the clients in your network or detect an insider threat.
Do you need special tools for virtual honeypots?
Holz: You can use available tools and they run in the guest operating system.
In your book, you discuss some of the latest honeypot tools. For instance, you mention client honeypots, particularly the HoneyClient virtual machine tool developed by engineer Kathy Wang to detect attacks on Windows clients.
Holz: You'll find a lot on that at www.honeyclient.org and it's a Mitre project.
Other tools are Capture, Nepenthes and Honeyd. Nepenthes is a tool for emulation of vulnerabilities in network services that's used in the German Honeynet Project and we're working closely with the University of Aachen on this. At Aachen, we run it for protection. It's a building block for security. Some ISPs use our tools to detect signs of infected users.
The book also mentions Argos, developed at the Vrije Universiteit Amsterdam in the Netherlands. What's Argos?
Provos: With Argos, you can detect a new attack without a signature. The Argos people did information-flow tracking or 'tainting' to figure out if any information sent to the honeypot ends up influencing it inside.
And what's this tool called Billy Goat?
Holz: The basic idea is to simulate the vulnerable network services. Billy Goat is closed source, developed by IBM, and deployed at IBM.
And what about two other tools you mention, Collapsar and the Potemkin Virtual Honeyfarm?
Provos: With Collapsar, from Purdue, the idea is being able to deploy nodes all over the Internet but the analysis is centralised. The Potemkin Virtual Honeyfarm, developed by researchers at the University of California, offers a lot of addresses on a network and provides high-profile addresses for all of them. It's a lightweight system of honeypots, of cloned honeypots. I don't believe it is open source at this point.
And what's the Honeywall for?
Holz: With Honeywall, you have a device to mitigate risk. If a cracker compromises your honeypot, you want to contain him within that honeynet. It's a kind of intrusion-prevention system that prevents outgoing attacks.
So does Google use a honeypot to watch for attacks?
Provos: I can't say anything about Google.
As you point out in your book, there may be legal reasons – the legal concept of entrapment is sometime brought up – that may discourage use of honeypots even for protective purposes.
Provos: We're not lawyers so we're suggesting you talk with your legal counsel if you want to use honeypots. But we'd like to see a top-notch lawyer really look at this area.
There don't seem to be a lot of commercial honeypot products and you don't hear people talk about honeypots much.
Provos: Many antivirus companies use honeypots. A lot of the time, people don't want to discuss something they've put out there to catch problems. Even if you don't plan to deploy a honeypot, in our book you'll get insights into botnets and insider attacks.