Honeypots Via VMware? 31
Loki_1929 asks: "Having just installed a trial of VMware workstation 3.2, I'm left wondering if anyone has used it as part of a security solution on a network. Specifically, has anyone had any experience using a virtual machine as a 'honeypot' on a business network that experiences a sizable volume of attacks? If so, what successes and problems have you run into? I would assume that a virtual machine compromise would pose no security threat to the rest of the network, and an 'undoable' disk would make picking up the pieces of the honeypot quite simple, but what other sorts of pitfalls are there to deal with, if any? As a consultant for many small to medium size businesses, it occurs to me that this may be a reasonably safe, secure, and cost-effective solution, but I thought the Slashdot community might have some experience and insights into the actual feasibility of a system like this."
Why? (Score:3, Insightful)
Re:Why? (Score:1)
[underground insideinfo]
if you have root on a VMWare machine with Linux, you can break out of the guest machine and take control over the host machines (vmware runs suid root, since it need direct access to your NIC).
ptrace()-based exploit comming soon to kiddie-site near you...
Still a threat... (Score:4, Insightful)
A virtual machine poses just as much threat to the network as a physical machine if cracked, because it can be used to do the exact same things. For the machine to function as a honeypot, it would need network connectivity, and obviously that's going to be bidirectional, so if the VM becomes compromised it would have the same result as losing a physical box.
It could be argued that it's actually MORE likely for something to happen with that kind of setup, because it's not a production box that would be upgraded at the front of the line, instead remaining several updates behind with possibly holes left open.
Re:Still a threat... (Score:1)
- RR
Conflicts (Score:2, Interesting)
If you ran multiple VMWare virtual machines at the same time on the same machine, you might have difficulty with each machine having the same ports open (unless you had several network cards, at least one for each virtual machine).
Also, you may run into a few problems where hacking the honeypot would allow the user to access everything on the computer, including the system that VMware is actually running on. That's probably not a desired result.
While I think this would be a very implausible thing to happen, I imagine that nothing is impossible.
It would be worth trying on a machine that you didn't care about, that had limited (Internet-only) connections to the rest of the LAN.
Re:Conflicts (Score:4, Informative)
Wrong. Each virtual machine can have its own IP address, completely different from the host machine.
Re:Conflicts (Score:1)
On my laptop I have a physical network card that the Linux OS uses. Under VMWare I am running Windows, and that virtual machine appears to have it's own network card, that the VMWare software simulates.
So what happens on the physical hardware is that it responds to two separate IP addresses, and everything meant to go to the Windows machine is routed properly by the virtualization hardware. It works perfectly.
Re:Conflicts (Score:2)
The bigger problem is that good hackers are going to KNOW that it's a vmware session, just like they can tell if it's a usermode linux session. The Usermode linux pages go into the honeypot issue, and how to help hide the fact that it's a virtual box, but it's not perfect.
The advantage of a virtual machine honeypot is definately valid though as others (and the article) point out.
My Honeypot.. (Score:4, Funny)
The Porn-and-Passworkds.zip.exe was a huge file filled with garbage, that when run on a windows box would write garbage to the hard drive in random areas.
I figgured that 'leet Windows HAX0RS deserved it.
The funny part: It was my first (and only) GPL violation. I broght in some random number code in from a GPL'ed library, and I rudly diden't offer the source on the Samba share.
So if you donloaded Porn-and-Passwordx.zip.exe - send a reply and I'll get the source to you.
Re:My Honeypot.. (Score:1)
Re:My Honeypot.. (Score:2)
I know you're joking, but I'll add this: If you carefully read the GPL - I only have to release the source to people who I gave the origional copy to. As a curtesy, most GPL software is reaseled freely with source, but one doesen't have to do it. Only to the orgional downloaders, and then even, I could charge a reasonable copying fee to cover costs.
Re:My Honeypot.. (Score:2)
I understand your sentiments - that's why I don't do it anymore.
However, I have no sympathy for people who think they are breaking into a sytem and copying somthing that isen't theirs. I really don't.
I reason I stoped doing this,was that it became possible that some boradband users could accidently find the honeypot through normall use of windows networking. I only wanted to hurt the jerks, and not people who were just curious.
Suuure (Score:2)
<sarcasm>
Sure... It's extremelly benefitial to the security of a network to have a hax0red machine inside it.
If what you want is to help the L33t h4xors, then you'd better replace all your switches for hubs as well as putting r00ted machines in your network.
</sarcasm>
Lots of 'prior art' (Score:4, Insightful)
Re:Lots of 'prior art' (Score:2)
However, it is ridiculously expensive (as in more than buying actual machines). So much so that ESX escapes VMware's pricing page [vmware.com]. To get the price, you have to call so they can make sure you're sitting down before you hear it (ESX is more expensive than GSX).
By the way, if any of the information presented here is not correct, I can convincingly shift blame onto some of the ridiculous and confusing marketing speak on VMware's site. That being said, I run VMware 3.2 and like it for running a desktop version of Windoze until the world finishes rejecting it.
Try this site for help with honeypots. (Score:2, Interesting)
It should provide some helpful information.
Use User-Mode Linux, not VMWare (Score:4, Informative)
http://user-mode-linux.sourceforge.net/
http:/
Semi OT: VMware 4 Beta Available (Score:3, Informative)
New in This Release
Workstation 4 includes improvements across the board, from the core virtual machine and virtual devices to networking and the user interface. Here's a sampling of what's new.
Improved core support for x86 architecture PCs
Support for new host and guest operating systems, including Microsoft Server 2003 beta, Red Hat Linux 8.0 and 8.1 beta, Red Hat Linux Advanced Server 2.1, SuSE Linux 8.0, 8.1 and Enterprise Server 8, and Mandrake Linux 9.0
Support for DOS EMM386, providing better legacy application compatibility
Support for PAE host and guest operating systems
Improved support for debugging within virtual machines
Updated hardware: ACPI (Advanced Configuration and Power Interface) and APIC (Advanced Programmable Interrupt Controller) to make guest operating installations smooth
VESA BIOS, providing a better graphics mode before VMware Tools is installed
Improved multimedia and device support
Improved sound, with support for a new industry standard sound device that provides better audio input and output performance
Improved DVD and CD-R/RW support and faster performance, including support for burning CDs from a virtual machine
Improved parallel port performance with major device compatibility improvements
DirectDraw support, providing compatibility with applications that require this software interface
Improved graphics performance when playing various video formats
Support for USB 2.0 host devices that are becoming standard in newer desktop computers
New user interface and improved usability
Completely new Linux user interface -- too much to describe here; you have to see it
New interface to switch between virtual machines by clicking a tab that acts like a virtual keyboard-video-mouse switch; you no longer need to manage a separate window for each virtual machine
Snapshots -- take a snapshot of your virtual machine at any time, whether it's powered on, powered off or suspended, and revert to the snapshot anytime
Improved favorites list lets you manage virtual machines using a browser-like favorites list, with folders to organize all of your virtual machines
Drag and drop and shared folders provide new, easy ways to share files between guest and host; you no longer need to set up a network to share files
Improved networking
Easier network configuration management on Windows hosts, so you can easily manage DHCP, NAT, virtual adapters and other features with a simple form-based interface, replacing the old text-based configuration files
Support for wireless bridging so you can use a wireless adapter to access a network from a virtual machine, even with a VPN, and with support for all IP protocols
Simplified installation and improved performance across the board
mr.
Know Your Enemy: Learning with VMware (Score:3, Informative)
Know Your Enemy: Learning with VMware [honeynet.org]
Many thanks to the Honeynet team for such a great site!
Good book (Score:1)
Vmware is ideal (Score:1)
The goal of my personal project is a lot different of that compared to the corporate IT security manager. My personal goal is to gain a better insight onto how simple exploits and behaviors are carried out, while the IT security would be more interested in reporting their findings to the police.
Use Vserver (Score:2, Interesting)
It can be done, but there are usually better ways. (Score:3, Interesting)
I would have to say that VMWare is a pretty heavyweight solution for most needs. If you've got the time to properly make use of a honeypot, maybe you've also got the resources and skills to make VMWare worthwhile. On the other hand, check out Honeyd [umich.edu], a small daemon that can emulate an entire Honeynet easily on one box. This may be a better solution for you, depending on your needs.
A hacker would know.. (Score:1)
A tremendous advantage of using VMWare (Score:2, Interesting)
The intruder, of course, loses their connection to it while it's suspended, but if your intrusion detection is good enough, you may be able to keep some info that you wouldn't otherwise have.
Another advantage is that if you keep VMWare disk images saved, you have effective backups and can simply restore a previous disk image if they *do* compromise it, whereas restoring a regular machine can take significantly more effort. So fixing the pot and pouring the honey back in is way easier unless you have a restore solution for your machine that involves something less than copying a single file.
VMWare is so damn cool.