VMware Workstation
Although not specifically designed for honeypot use, administrators frequently use VMware Workstation to create realistic-looking honeypots and even networks of honeypots, called honeynets. Figure 4, page 38, shows VMware Workstation's GUI. VMware Workstation can run one or more OSs, each within a virtual machine session. Each session runs real software and can react like a production asset. VMware Workstation supports Windows (i.e., Windows 2003, XP, Win2K, or NT) and Linux as the host OS.
VMware has added features that make VMware Workstation attractive for honeypot use:
- You can reset any modified session back to its original state with a single mouse-click to restart the session. For example, if an intruder installs rogue programs, you can quickly restart the session and remove all traces of the intruder's modifications.
- You can save any modified session in its current state and replay it later or save it for forensic analysis.
- You can network sessions together, which gives an intruder the opportunity to explore other related honeypots within the simulated environment, without fear that the intruder might escape to other production assets.
- The host system is an ideal location for installing packet analyzers and forensic software for monitoring each virtual session.
Unlike the other honeypots in this review, VMware Workstation's honeypots aren't virtual. The honeypots are real systems running real OS software, which means that the honeypots respond fairly accurately to requests from the IP stack to the application layer. In addition, after you've set up a session on a real honeypot, recovering and redeploying after an intruder's attack is easy. However, using real honeypots created with VMware Workstation has some disadvantages:
- In addition to the cost of the software ($299 for the electronic distribution), you need to purchase a license for each OS session. Thus, running several honeypots at once can be quite expensive.
- Because the software on the honeypot is real, the initial setup (which includes setting up the monitoring and data-control mechanisms) of all the sessions can take days.
- VMware Workstation doesn't include native tracking, alerting, and logging capabilities. If you want to add software that provides these capabilities, you need to initiate that software externally because when an intruder compromises a real honeypot, you must consider all software on it hostile and unreliable.
- Although VMware Workstation's software sessions are legitimate, several ways to identify these sessions have been documented. As a result, this type of honeypot is one of the easiest to fingerprint if the intruder is specifically looking for such a session.
- Because each session contains a fully working copy of legitimate OS software, controlling what intruders might do if they compromise the honeypot is difficult. If you don't configure the honeypot correctly, intruders can use the honeypot's OS software to attack and compromise additional internal and external targets.
Still an Immature Market
Overall, the honeypot market is still maturing, much like the early days of firewalls and IDSs. Although some UNIX-based honeypots have enterprise-level features (e.g., stealthy data control, clandestine kernel-based monitoring), none of the Windows-based honeypots have them. But as is often the case, the best Windows-based honeypots are leading the way in providing user-friendly GUIs.
If you can afford $990, the clear winner in the Windows honeypot market is KFSensor. KFSensor is the only honeypot software to target the Windows environment as its primary audience, and its developer takes an active interest and provides frequent updates. KFSensor also provides user-friendly GUIs—the type of GUI to which Windows users have become accustomed—to install the honeypot and configure its many features. Plus, KFSensor is the only honeypot to natively support NetBIOS and Windows RPC.
Honeyd-WIN32 is a powerful, free honeypot that offers versatility and scalability. Its ability to emulate IP stacks and Windows services is among the strongest in the field. However, Honeyd-WIN32's complicated setup, missing GUI, lack of updates, and lack of NetBIOS emulation makes it the best honeypot only in its price range.
SPECTER is a product with a lot of promise and more than a handful of unique features. Its major drawback is its hard-coded limitation of 14 services and limited customization. Whether its developer improves it or lets it languish will determine whether SPECTER becomes a major honeypot player in the future. For now, I can't recommend this honeypot when compared with its more flexible competitors.
VMware Workstation is a great choice for administrators who are looking for a high-emulation honeypot. It provides a very realistic honeypot environment for intruders to explore, but its increased functionality also makes it difficult to control any intruders. It's an ideal virtual environment in which to set up monitoring utilities, and virtual sessions can be reset with a click of the mouse.
End of Article
Register
Hell March 31, 2004