::: Virtual Aleph ::: Virtualization Techniques: Technical Track - Honeypotting with VmWare (Basics)

VMworld 2017 Banner

VMworld 2017 Banner
VMworld 2017 Las Vegas

26 February, 2008

Technical Track - Honeypotting with VmWare (Basics)

Honeypots always attract me ;)
With the help of Deepak Narain and Thomas Huber, now I appreciate them more.

The session has begun with the definition of honeypot, that's a system used to attract bad guys and to collect everything they do; moreover it can be used to distract them from the real production environment.

How can we forge and honeypot?
  • Decoy system: expose it on the internet offering services

  • expose vulnerability to the bad guys

  • monitor your box that must looks and behave as a normal - well designed - production system

Honeypots can be classified in two types:

  • low interaction (or no interaction) that's based on emulation of services

  • high interaction with full access for the bad guys to the OS and full "play around" with system

Using virtualization to forge an honeypot is better because:

  • you can consolidate decoying a lot of system that's on a self contained physical machine

  • VMs are self contained

  • easiness of provisioning

  • portability

  • improved response to attack (just unplug network and you have done!)

  • quickly reconfigurable and redeployable

unfortunatly also bad guys like those features

Why having an honeypot?

  • We can learn from outside attack and remediate in the real production env.

  • We can lure attack from real production.

  • We quickly detect attack: that shouldn't be any traffic towards the honeypot normally: so, all traffic is hostile.

  • We can have evidence: once an attacker is identified you can use evidences legally

Some projects are sprawling around the world: honeyd project is one of this.