What is a Honeynet
A honeypot is a system whose value comes from being probed, attacked, or compromised, usually for the purpose of detection or alerting of blackhat activity. Typically, honeypots have been systems that emulate other systems or known vulnerabilities or create jailed environments. A Honeynet is different from most honeypots as it is a tool for research. Its purpose is to gather information. Its two biggest design differences are follows:
- A Honeynet is not a single system but a network. This network sits behind a filter where all inbound and outbound data is contained and captured. This information is then analysed to learn the tools, tactics, and motives of the blackhat community. Within this Honeynet can be placed any type of system to be used as a honeypot, such as Solaris, Linux, Windows NT, Cisco Switch, etc. This creates a network environment that has a more realistic feel to it. Also, by having different systems with different services, such as a Linux DNS server, a Windows NT webserver, or a Solaris FTP server, we can learn about different tools and tactics.
- All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems more insecure. The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organisations today.
The following points indicate the main differences between a honeynet and other networks:
- • The systems in a honeynet are various standard unprotected operating systems and software with the latest known patches.
- • It is a non-productive network and therefore any traffic between the Internet and our honeynet is suspect by nature.
- • All network traffic is logged and archived so that one can trace back the steps after a system has been compromised.
- • Every target operating system (honeypot) is monitored by a host intrusion detection system so that one can trace back which files the cracker had modified, added or removed.
The firewall between the honeynet and the Internet is not to protect the honeynet from the Internet but it is to protect the Internet from a compromised system in the honeynet so that no other computers can be attacked.
Task
There are some free and commercial honeynet software online. Windows based ssytems include KFSensor and PatriotBox and linux based software can be freely downloaded from the honeynet.org.
Some links to paper include:
Honeynet.org whitepapers
snort.org
EECS Course