Re: Introducing the Tactical Honeynet Deployment Project

[Thomas Jones <thomas.jones () linux-howtos com>]

On Tuesday 02 September 2003 11:14, Tom Britten wrote:
<snip>
>      Yes such training and learning is possible. My company has been
> working on a product for security that does learning/training and
> protection of systems.  Take a check at www.cylant.com read the white
> papers to get an understanding.  I was talking to my boss about using our
> systems in honeynets/honeypots.  This will allow learning and control. 
> Some really get advantages there.
<snip>
>      This is a wonderful idea for a number of things, not just control of
>  your honeypot.  One of the pieces that gangadhar mentioned was about
>  activity.  How about using your other honeypots to help create traffic and
>  activity.  You have the ability in either UML or Vmware to run multiple
>  machines on one physical box.
>      Don't forget to not only create servers as honeypots, but simply
> clients as well.  For sometimes they are the only uncontrolled factored
> that can be used by a blackhat to wedge themselves in.  Let say you have a
> decent box sitting there, run a number of client honeypots and use those to
> create traffic and activity on your other honeypots.  This also makes the
> server look all that more real.
>      Have the design make sense, i.e. don't have clients in your dmz if
> that is where your honeypot is located for that will flag it as odd and it
> will be ignored.  I think you know what I mean. ^_^
>
>  Tom Britten
>  Sr. Systems Engineer


'vserver' can also make a valid contribution to the virtual honeynet argument. 

http://www.solucorp.qc.ca/miscprj/s_context.hc

I have been developing a small virtual honeynet of 7 servers and 24 clients on 
one "host" system. It has been two(2)months since i started this 
project......and there is still much more to go.

Virtual systems do have 'cons' as well. If an attacker were to monitor process 
usage they would see that they do in fact have a ceiling. And the fact that a 
'user' can only see the processess within that particular virtual server 
----- yet the system performance can take a noticable hit if a multitude of 
'servers' and/or 'clients' are generating simultaneous traffic. Hopefully, 
this will be attributed to latency and the such.... 

The reality and validity of the systems are key. I've gone as far as spidering 
the internet for 5,000+ names and constructing fake credit card ID's for all 
to give the image of a e-commerce site database on one server. To include a 
transaction number. Gnumeric and the rand() function work great in my 
situtation.

;)
-- 
Thomas Jones
Linux-Howtos Network Administrator
OpenGPG Key: 0x6A3DF6E9