Honeypots mailing list archives
Re: Know Your Enemy: Learning with VMware
From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 27 Jan 2003 23:22:57 -0800
--On Monday, January 27, 2003 5:39 PM -0800 Jeremy Bennett <jeremy () deities org> wrote:
Reality is less important than perception.
Hmm, if this were a debate, I'd use your point to argue victory, as my perception is that my arguments are better <grin>. But, more seriously, I do concur that attacker perceptions are important.
The fact that some companies are running production hosts on VMWare and UML is a fact. The perception by the attacker community, though, is that this practice is rare and thus any system that can be fingerprinted as VMWare is more likely to be a honeypot than a system that does not fingerprint as a honeypot.
Frankly, I'm somewhat unsure how attacker perceptions run. You, on the other hand, seem relatively confident in your knowledge of the perceptions of the attacker community with respect to VMware. May I ask you to adduce some evidence in support of your conviction? I myself operate several VMware honeynets. The typical opportunistic attacker of the sort that I've often seen does not perform even elementary tests that would disclose a compromised host to be a VM rather than a physical host. Thus ignorant of the true nature of the compromised system, such attackers are indifferent to it. I believe that a more skilled and knowledgeable attacker, focused on a known target rather than a target of opportunity, would not be discouraged by the presence of a VM. But, my honeynets don't yet seem to have been the target of such an attacker, so I concede that my belief is speculative, at least at present.
The fact of the matter is that none of the current virtualization solutions are designed to be resistant to attack. They are designed to be the best emulation possible. As such they do not provide the same rich set of control capabilities provided in a dedicated honeypot solution. A VMWare (UML, etc) honeypot should be treated like any other sacrificial lamb. Protection should be placed on-host as well as off-host. VMWare and friends, in my opinion, make good platforms for testing and demoing honeypots but today they are not a great solution for live systems.
If we stipulate that the best possible emulation or virtualization is one that replicates the behavior of a physical host, then a VM would seem to be no more vulnerable -- by design -- than a physical host. Moreover, I can't think of any features relevant to honeynet data control that are found in a physical host but lacking in a VM. But, perhaps I'm missing the obvious. Certainly, VMware offers some data control features -- such as non-persistent disks -- that are somewhat complicated to implement in a real host. In any case, I heartily agree that multiple layers of control should be employed whether a honeypot is real or virtual. Our community's relatively limited experience with virtual honeynets does suggest that prudence should be amply indulged. However, our lack of experience with virtual honeynets seems to me to call for additional live deployments. We'll learn more by using and improving virtual honeynets than by avoiding them. Cheers, --------------------------------------------------- Bill McCarty
Current thread:
- Know Your Enemy: Learning with VMware Lance Spitzner (Jan 27)
- Re: Know Your Enemy: Learning with VMware Alexandre Dulaunoy (Jan 27)
- Re: Know Your Enemy: Learning with VMware tycho (Jan 27)
- Re: Know Your Enemy: Learning with VMware Bill McCarty (Jan 27)
- Re: Know Your Enemy: Learning with VMware Jeremy Bennett (Jan 27)
- Re: Know Your Enemy: Learning with VMware Bill McCarty (Jan 28)
- Re: Know Your Enemy: Learning with VMware Lance Spitzner (Jan 29)
- Re: Know Your Enemy: Learning with VMware Alexandre Dulaunoy (Jan 27)
- Re: Know Your Enemy: Learning with VMware Adam H . Pendleton (Jan 27)