The Honeynet Project

I have been following the Honeynet Project (http://project.honeynet.org) for about a year now and find the data they gather on attack techniques valuable and fascinating. Started by Lance Spitzner, the Honeynet Project uses honeynets -- a network of fully operational production systems -- to monitor, analyze, and better understand threats on the Internet.

Traditionally, people have used honeypots -- a single system used to lure attackers away from valuable production systems and into this obvious, easy-to-attack target. Honeynets take a different approach. They are not designed to lure attackers from production systems. Instead, honeynets are production networks designed for research and are used to help security experts better understand the Black Hat community.

And research they provide. The well-known and well-respected "Know Your Enemy" series of papers, available at http://project.honeynet.org/papers, includes topics ranging from honeynet basics to the tools and techniques used by script kiddies to compromise a system. My favorite is the "Statistics" paper that discusses 11 months' worth of data analyzed by the Honeynet Project. For example, based on their analysis, a default Red Hat 6.2 installation will be compromised within 72 hours of being placed on the Internet, although it usually takes a lot less time than that. I can attest to the validity of that: I set up a honeypot running a default installation of Red Hat 7.1 a while back and had the system compromised in six hours.

The Honeynet Project also analyzes data to better predict attack trends and find new tools that are out in the wild. When they do find a new attack method or tool, they alert security alert organizations such as the System Administration, Networking, and Security Institute (SANS) or the Computer Emergency Response Team (CERT).

The Honeynet Project started with what they call Generation I honeynets, which included different systems for data control, capture, and collection. Generation II honeynets, currently in development, will combine these activities into one system, which should make them easier to deploy and maintain.

Developers are also working on virtual honeynets. According to the Honeynet Project, virtual honeynets "combine all elements of a honeynet into one physical system," including the data control, capture, and collection mechanisms, as well as the honeypot systems themselves. VMWare is a popular tool for virtual honeynets, and Kurt Seifreid and Michael Clark have written excellent papers on the subject, available at http://www.seifried.org/security/ids/20020107-honeypot-vmware-basics.html and http://online.securityfocus.com/infocus/1506, respectively.

Honeypots and honeynets are becoming quite popular, as many people want to learn more about Internet security. If you're interested too, papers available at http://www.enteract.com/~lspitz/honeypot.htmland http://project.honeynet.org/papers/honeynet provide information, tools, and more to develop your own honeypot or honeynet.

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaComputer Emergency Response TeamInfocusRed HatSecurityFocusVMware Australia

Show Comments

Market Place