A honeypot is simply a "closely monitored computing resource that we want to be probed, attacked or compromised," Niels Provos and Thorsten Holz tell us in their new book, Virtual Honeypots.
Honeypots can capture information about illicit use, attacks and possibly detect vulnerabilities not well understood. The latest models of them, virtual honeypots, are simply those that run in virtualized environments, such as VMware.
In an interview with Ellen Messmer, Provos (a senior staff engineer at Google who's credited with developing the open-source honeypot Honeyd) and Holz (founder of the German Honeynet Project and graduate student at the University of Mannheim's Laboratory for Dependable Distributed Systems) discuss the latest in tools for building virtual honeypots.
So what's a virtual honeypot?
Provos: Honeypot technology can be used for botnet-tracking or malicious code collection, among other things, and the difference with a virtual honeypot is the convenience in remotely administering it. From the network point of view, the virtual honeypot looks exactly like a physical machine. You can have a low-interaction honeypot, which usually only exposes select network services, or a high-interaction honeypot using a complete operating system virtualized in the network layer.
Holz: You can use a honeypot to protect the clients in your network or detect an insider threat.
Do you need special tools for virtual honeypots?
Holz: You can use available tools and they run in the guest operating system.
In your book, you discuss some of the latest honeypot tools. For instance, you mention client honeypots, particularly the HoneyClient virtual machine tool developed by engineer Kathy Wang to detect attacks on Windows clients.
Holz: You'll find a lot on that at www.honeyclient.org and it's a Mitre project.
Other tools are Capture, Nepenthes and Honeyd. Nepenthes is a tool for emulation of vulnerabilities in network services that's used in the German Honeynet Project and we're working closely with the University of Aachen on this. At Aachen, we run it for protection. It's a building block for security. Some ISPs use our tools to detect signs of infected users.
The book also mentions Argos, developed at the Vrije Universiteit Amsterdam in the Netherlands. What's Argos?
Provos: With Argos, you can detect a new attack without a signature. The Argos people did information-flow tracking or 'tainting' to figure out if any information sent to the honeypot ends up influencing it inside.
And what's this tool called Billy Goat?
Holz: The basic idea is to simulate the vulnerable network services. Billy Goat is closed source, developed by IBM, and deployed at IBM.