Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security

Honeypots Via VMware? 31

Posted by Cliff from the security-thru-obscurity dept.
Loki_1929 asks: "Having just installed a trial of VMware workstation 3.2, I'm left wondering if anyone has used it as part of a security solution on a network. Specifically, has anyone had any experience using a virtual machine as a 'honeypot' on a business network that experiences a sizable volume of attacks? If so, what successes and problems have you run into? I would assume that a virtual machine compromise would pose no security threat to the rest of the network, and an 'undoable' disk would make picking up the pieces of the honeypot quite simple, but what other sorts of pitfalls are there to deal with, if any? As a consultant for many small to medium size businesses, it occurs to me that this may be a reasonably safe, secure, and cost-effective solution, but I thought the Slashdot community might have some experience and insights into the actual feasibility of a system like this."
This discussion has been archived. No new comments can be posted.

Honeypots Via VMware? More

Honeypots Via VMware?

Comments Filter:

  • Why? (Score:3, Insightful)

    by GigsVT ( 208848 ) on Monday March 03, 2003 @02:33PM (#5425480) Journal
    Why would you advise corporate customers to install honeypots? Do they have someone just sitting around that is skilled enough to analyze the attack for research purposes?

    • Re:Why? (Score:1)

      by Anonymous Coward

      [underground insideinfo]

      if you have root on a VMWare machine with Linux, you can break out of the guest machine and take control over the host machines (vmware runs suid root, since it need direct access to your NIC).

      ptrace()-based exploit comming soon to kiddie-site near you... /AzK

  • Still a threat... (Score:4, Insightful)

    by program21 ( 469995 ) on Monday March 03, 2003 @02:39PM (#5425529) Homepage Journal
    I would assume that a virtual machine compromise would pose no security threat to the rest of the network

    A virtual machine poses just as much threat to the network as a physical machine if cracked, because it can be used to do the exact same things. For the machine to function as a honeypot, it would need network connectivity, and obviously that's going to be bidirectional, so if the VM becomes compromised it would have the same result as losing a physical box.
    It could be argued that it's actually MORE likely for something to happen with that kind of setup, because it's not a production box that would be upgraded at the front of the line, instead remaining several updates behind with possibly holes left open.
    • It's not as bad as any other machine on your net - you can limit it by the real host. I know a few people (I have considered it myself) running firewalls in VMWare. Then the "host" machine has ipchains rules blocking against the VMWare system. So it adds a second layer of protection. Then, if somebody ever does break it, you simply copy over the last saved hard drive image file, patch what they had cracked in with, and you're on your way. No need to reinstall the OS from scratch if you have a backed up known good. In fact, a friend of mine burns to CD the hard drive image of the firewall, then has a cron job on the host shut down the VM, replaces the hard drive image file, brings it back up. Every night.

      - RR

  • Conflicts (Score:2, Interesting)

    by Hellraisr ( 305322 )
    I don't know how great of an idea this would be really.

    If you ran multiple VMWare virtual machines at the same time on the same machine, you might have difficulty with each machine having the same ports open (unless you had several network cards, at least one for each virtual machine).

    Also, you may run into a few problems where hacking the honeypot would allow the user to access everything on the computer, including the system that VMware is actually running on. That's probably not a desired result.

    While I think this would be a very implausible thing to happen, I imagine that nothing is impossible.

    It would be worth trying on a machine that you didn't care about, that had limited (Internet-only) connections to the rest of the LAN.

    • Re:Conflicts (Score:4, Informative)

      by Lord Sauron ( 551055 ) on Monday March 03, 2003 @02:50PM (#5425608)
      If you ran multiple VMWare virtual machines at the same time on the same machine, you might have difficulty with each machine having the same ports open (unless you had several network cards, at least one for each virtual machine).

      Wrong. Each virtual machine can have its own IP address, completely different from the host machine.

    • If you have conflicts, then there's no point in running VMWare. The virtualization handles the sharing of physical resources by the virtual computers. In the case of the network cards, they are shared properly.

      On my laptop I have a physical network card that the Linux OS uses. Under VMWare I am running Windows, and that virtual machine appears to have it's own network card, that the VMWare software simulates.

      So what happens on the physical hardware is that it responds to two separate IP addresses, and everything meant to go to the Windows machine is routed properly by the virtualization hardware. It works perfectly.
    • Um, it depends on how you setup VMWare. NAT mode does as you suggested, but bridge mode does not. The VM session gets a REAL dedicated IP. Also, unless you explicitly setup vmware to access the underlying partitions (which you would do via samba or windows file sharing unless it's a DEDICATED partition) then it is ISOLATED. Completely. This is one of the whole POINTS of a VM system.

      The bigger problem is that good hackers are going to KNOW that it's a vmware session, just like they can tell if it's a usermode linux session. The Usermode linux pages go into the honeypot issue, and how to help hide the fact that it's a virtual box, but it's not perfect.

      The advantage of a virtual machine honeypot is definately valid though as others (and the article) point out.

  • My Honeypot.. (Score:4, Funny)

    by zulux ( 112259 ) on Monday March 03, 2003 @02:41PM (#5425545) Homepage Journal
    On one of my OpenBSD firewalls, I use to have a samba share that had only one file: Porn-and-Passwords.zip.exe. I was new to Unix - so at the time, I had a small script that would check to see if the file count had gone up (indecating that someone was downloading it) and would schedule a network interface shutdown and restart on our DHCP broadband connection.

    The Porn-and-Passworkds.zip.exe was a huge file filled with garbage, that when run on a windows box would write garbage to the hard drive in random areas.

    I figgured that 'leet Windows HAX0RS deserved it.

    The funny part: It was my first (and only) GPL violation. I broght in some random number code in from a GPL'ed library, and I rudly diden't offer the source on the Samba share.

    So if you donloaded Porn-and-Passwordx.zip.exe - send a reply and I'll get the source to you.

    • I'll tell RMS if you don't release the source!
      • I'll tell RMS if you don't release the source!

        I know you're joking, but I'll add this: If you carefully read the GPL - I only have to release the source to people who I gave the origional copy to. As a curtesy, most GPL software is reaseled freely with source, but one doesen't have to do it. Only to the orgional downloaders, and then even, I could charge a reasonable copying fee to cover costs.

  • I would assume that a virtual machine compromise would pose no security threat to the rest of the network

    <sarcasm>
    Sure... It's extremelly benefitial to the security of a network to have a hax0red machine inside it.

    If what you want is to help the L33t h4xors, then you'd better replace all your switches for hubs as well as putting r00ted machines in your network.
    </sarcasm>

  • Lots of 'prior art' (Score:4, Insightful)

    by kylus ( 149953 ) on Monday March 03, 2003 @02:53PM (#5425620) Homepage
    Check out this page [seifried.org] for the basics, this thread [insecure.org] over at insecure.org, and the Honeypot page at sourceforge.net has an interesting article [sourceforge.net] on monitorting such honeypots. Good luck!
    • Actually VMware itself has a "product" which does exactly what you're talking about [vmware.com]. It's "headless", which I found out (after three separate e-mails to VMware sales) means "display-less" (i.e., you don't have to run it in X). It would be interesting to know what independent assessments of effectiveness of their product are out there....

      However, it is ridiculously expensive (as in more than buying actual machines). So much so that ESX escapes VMware's pricing page [vmware.com]. To get the price, you have to call so they can make sure you're sitting down before you hear it (ESX is more expensive than GSX).

      By the way, if any of the information presented here is not correct, I can convincingly shift blame onto some of the ridiculous and confusing marketing speak on VMware's site. That being said, I run VMware 3.2 and like it for running a desktop version of Windoze until the world finishes rejecting it.
  • http://www.honeypots.net

    It should provide some helpful information.

  • Use User-Mode Linux, not VMWare (Score:4, Informative)

    by supton ( 90168 ) on Monday March 03, 2003 @02:58PM (#5425653) Homepage
    User-mode Linux specifically has honeypot features designed into it. Haven't done this myself, but there is plenty of info.

    http://user-mode-linux.sourceforge.net/
    http:// user-mode-linux.sourceforge.net/slides/ists _rt/ists_rt.htm

  • Semi OT: VMware 4 Beta Available (Score:3, Informative)

    by mrpull ( 112590 ) on Monday March 03, 2003 @02:59PM (#5425660)
    From: http://www.vmware.com/support/ws4/doc/releasenotes _ws4.html

    New in This Release

    Workstation 4 includes improvements across the board, from the core virtual machine and virtual devices to networking and the user interface. Here's a sampling of what's new.

    Improved core support for x86 architecture PCs

    Support for new host and guest operating systems, including Microsoft Server 2003 beta, Red Hat Linux 8.0 and 8.1 beta, Red Hat Linux Advanced Server 2.1, SuSE Linux 8.0, 8.1 and Enterprise Server 8, and Mandrake Linux 9.0
    Support for DOS EMM386, providing better legacy application compatibility
    Support for PAE host and guest operating systems
    Improved support for debugging within virtual machines
    Updated hardware: ACPI (Advanced Configuration and Power Interface) and APIC (Advanced Programmable Interrupt Controller) to make guest operating installations smooth
    VESA BIOS, providing a better graphics mode before VMware Tools is installed

    Improved multimedia and device support

    Improved sound, with support for a new industry standard sound device that provides better audio input and output performance
    Improved DVD and CD-R/RW support and faster performance, including support for burning CDs from a virtual machine
    Improved parallel port performance with major device compatibility improvements
    DirectDraw support, providing compatibility with applications that require this software interface
    Improved graphics performance when playing various video formats
    Support for USB 2.0 host devices that are becoming standard in newer desktop computers

    New user interface and improved usability

    Completely new Linux user interface -- too much to describe here; you have to see it
    New interface to switch between virtual machines by clicking a tab that acts like a virtual keyboard-video-mouse switch; you no longer need to manage a separate window for each virtual machine
    Snapshots -- take a snapshot of your virtual machine at any time, whether it's powered on, powered off or suspended, and revert to the snapshot anytime
    Improved favorites list lets you manage virtual machines using a browser-like favorites list, with folders to organize all of your virtual machines
    Drag and drop and shared folders provide new, easy ways to share files between guest and host; you no longer need to set up a network to share files

    Improved networking

    Easier network configuration management on Windows hosts, so you can easily manage DHCP, NAT, virtual adapters and other features with a simple form-based interface, replacing the old text-based configuration files
    Support for wireless bridging so you can use a wireless adapter to access a network from a virtual machine, even with a VPN, and with support for all IP protocols
    Simplified installation and improved performance across the board

    mr.

  • Know Your Enemy: Learning with VMware (Score:3, Informative)

    by Anonymous Coward on Monday March 03, 2003 @04:00PM (#5426117)
    Could be a duplicate post (I didn't look at the others hard) but here is a direct link for setting up honeypots with VMWare.

    Know Your Enemy: Learning with VMware [honeynet.org]

    Many thanks to the Honeynet team for such a great site!
    • I can't mod you up, but I'll expand on that theme: the book by honeynet.org, "Know Your Enemy" has a lot of good practical experience to share. Some things to think about:
      • Having the attacker on your internal network, or even with one of your ip addresses is a security threat. Best to have the entire 'fake' honeynet walled off with its own router and firewall.
      • There's a chance that if someone breaks into your honeypot, and then uses it to break into someone else's computer, or in a DDOS, you may be liable. The book has a good rule of thumb on this point: Limit the number of outgoing connections to 10. That makes a 'usable' system (necessary for a honeypot) but limits the damage they can really do. Put an excuse in motd, like "The network is acting flaky, we're upgrading our router software" or something like that.
      • One of the advantages to honeypots is that it makes anomaly detection easy: any activity on the honeypot is suspicious by definition.
      So yeah... "Know Your Enemy" is a good book for practical tips, kudos to the Honeynet team.
  • I'm currently doing an irc case study, seeing how long it takes for the "kids" to compromise my virtual vm box. The box iteself sits on the same network as all my other machines, except it's setup as a dmz, via my my router. Installed on the honey pot is, know vulnerable pop/snmtp/web, open disk services, open anonymous ftp, open telnet server, all old network services install including chargen, finger ect. The host machine is running a packet sniffer which logs each incoming packet, the entire setup should appear seamless and transparent to the remote attacker.

    The goal of my personal project is a lot different of that compared to the corporate IT security manager. My personal goal is to gain a better insight onto how simple exploits and behaviors are carried out, while the IT security would be more interested in reporting their findings to the police.

  • Use Vserver (Score:2, Interesting)

    by EdMcMan ( 70171 )
    There is a package out there much more suited for this kind of thing. It's called vserver. It basically splits off sections of a machine, and allows them to only see whats in a certain section. It would be ideal for honeypts.

  • It can be done, but there are usually better ways. (Score:3, Interesting)

    by Hanashi ( 93356 ) on Monday March 03, 2003 @09:33PM (#5429261) Homepage
    Check this [seifried.org] page out. Someone has already written a very good starter page on VMWare honeypots, including a nice section on how to determine whether or not you've been trapped by a VMWare session.

    I would have to say that VMWare is a pretty heavyweight solution for most needs. If you've got the time to properly make use of a honeypot, maybe you've also got the resources and skills to make VMWare worthwhile. On the other hand, check out Honeyd [umich.edu], a small daemon that can emulate an entire Honeynet easily on one box. This may be a better solution for you, depending on your needs.

  • If you are using Vmware to place honeypots, a hacker whom somehow found a way through that VM, he would know its a virtual machine from the system drivers used, and from the VMware tools installation on the guest OS.
  • If you're using it as a honeypot, and can set a trigger from the virtual machine to the host machine (just a network blip of some sort with the host listening), you can actually have your honeypot suspend itself - completely preserving state, etc., before an intruder can cover their tracks.

    The intruder, of course, loses their connection to it while it's suspended, but if your intrusion detection is good enough, you may be able to keep some info that you wouldn't otherwise have.

    Another advantage is that if you keep VMWare disk images saved, you have effective backups and can simply restore a previous disk image if they *do* compromise it, whereas restoring a regular machine can take significantly more effort. So fixing the pot and pouring the honey back in is way easier unless you have a restore solution for your machine that involves something less than copying a single file.

    VMWare is so damn cool.

Slashdot Top Deals

E = MC ** 2 +- 3db

Close