Why virtual honeypots are sweet

Honeypot technology can be used for botnet-tracking or malicious code collection

A honeypot is simply a "closely monitored computing resource that we want to be probed, attacked or compromised," Niels Provos and Thorsten Holz tell us in their new book, Virtual Honeypots.

Honeypots can capture information about illicit use, attacks and possibly detect vulnerabilities not well understood. The latest models of them, virtual honeypots, are simply those that run in virtualized environments, such as VMware.

In an interview with Ellen Messmer, Provos (a senior staff engineer at Google who's credited with developing the open-source honeypot Honeyd) and Holz (founder of the German Honeynet Project and graduate student at the University of Mannheim's Laboratory for Dependable Distributed Systems) discuss the latest in tools for building virtual honeypots.

So what's a virtual honeypot?

Provos: Honeypot technology can be used for botnet-tracking or malicious code collection, among other things, and the difference with a virtual honeypot is the convenience in remotely administering it. From the network point of view, the virtual honeypot looks exactly like a physical machine. You can have a low-interaction honeypot, which usually only exposes select network services, or a high-interaction honeypot using a complete operating system virtualized in the network layer.

Holz: You can use a honeypot to protect the clients in your network or detect an insider threat.

Do you need special tools for virtual honeypots?

Holz: You can use available tools and they run in the guest operating system.

In your book, you discuss some of the latest honeypot tools. For instance, you mention client honeypots, particularly the HoneyClient virtual machine tool developed by engineer Kathy Wang to detect attacks on Windows clients.

Holz: You'll find a lot on that at www.honeyclient.org and it's a Mitre project.

Other tools are Capture, Nepenthes and Honeyd. Nepenthes is a tool for emulation of vulnerabilities in network services that's used in the German Honeynet Project and we're working closely with the University of Aachen on this. At Aachen, we run it for protection. It's a building block for security. Some ISPs use our tools to detect signs of infected users.

The book also mentions Argos, developed at the Vrije Universiteit Amsterdam in the Netherlands. What's Argos?

Provos: With Argos, you can detect a new attack without a signature. The Argos people did information-flow tracking or 'tainting' to figure out if any information sent to the honeypot ends up influencing it inside.

And what's this tool called Billy Goat?

Holz: The basic idea is to simulate the vulnerable network services. Billy Goat is closed source, developed by IBM, and deployed at IBM.

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?