Re: Know Your Enemy: Learning with VMware

[Bill McCarty <bmccarty () apu edu>]

--On Monday, January 27, 2003 5:39 PM -0800 Jeremy Bennett
<jeremy () deities org> wrote:

> Reality is less important than perception. 

Hmm, if this were a debate, I'd use your point to argue victory, as my
perception is that my arguments are better <grin>. But, more seriously,
I do concur that attacker perceptions are important.

> The fact that some companies are running production hosts on VMWare
> and UML is a fact. The perception by the attacker community, though,
> is that this practice is rare and thus any system that can be
> fingerprinted as VMWare is more likely to be a honeypot than a system
> that does not fingerprint as a honeypot. 

Frankly, I'm somewhat unsure how attacker perceptions run. You, on the
other hand, seem relatively confident in your knowledge of the
perceptions of the attacker community with respect to VMware. May I ask
you to adduce some evidence in support of your conviction?

I myself operate several VMware honeynets. The typical opportunistic
attacker of the sort that I've often seen does not perform even
elementary tests that would disclose a compromised host to be a VM
rather than a physical host. Thus ignorant of the true nature of the
compromised system, such attackers are indifferent to it.

I believe that a more skilled and knowledgeable attacker, focused on a
known target rather than a target of opportunity, would not be
discouraged by the presence of a VM. But, my honeynets don't yet seem
to have been the target of such an attacker, so I concede that my
belief is speculative, at least at present.

> The fact of the matter is that none of the current virtualization
> solutions are designed to be resistant to attack. They are designed
> to be the best emulation possible. As such they do not provide the
> same rich set of control capabilities provided in a dedicated
> honeypot solution. A VMWare (UML, etc) honeypot should be treated
> like any other sacrificial lamb. Protection should be placed on-host
> as well as off-host.
>
> VMWare and friends, in my opinion, make good platforms for testing
> and demoing honeypots but today they are not a great solution for
> live systems.

If we stipulate that the best possible emulation or virtualization is
one that replicates the behavior of a physical host, then a VM would
seem to be no more vulnerable -- by design -- than a physical host.
Moreover, I can't think of any features relevant to honeynet data
control that are found in a physical host but lacking in a VM. But,
perhaps I'm missing the obvious. Certainly, VMware offers some data
control features -- such as non-persistent disks -- that are somewhat
complicated to implement in a real host.

In any case, I heartily agree that multiple layers of control should be
employed whether a honeypot is real or virtual. Our community's
relatively limited experience with virtual honeynets does suggest that
prudence should be amply indulged. However, our lack of experience with
virtual honeynets seems to me to call for additional live deployments.
We'll learn more by using and improving virtual honeynets than by
avoiding them.

Cheers,

---------------------------------------------------
Bill McCarty