A Play on Negroponte’s OLPC. I present “OHPC” – One Honeypot per Computer…
I was catching up with an old friend the other day, and in chatting with Lance Spitzner, we got to talking about virtualization and Honeypots. Lance, as you no doubt already know, is one of the ringleaders of the Honeynet Project whose charter is the following:
The Honeynet Project is a non-profit (501c3) volunteer, research organization dedicated to improving
the security of the Internet at no cost to the public. All of our work is released as and we are
firmly committed to the ideals of OpenSource.
Our goal, simply put, is to make a difference. We accomplish this goal in the following three ways.
Awareness
We raise awareness of the threats and vulnerabilities that exist in the Internet
today. Many individuals and organizations do not realize they are a target, nor
understand who is attacking them, how, or why. We provide this information so
people can better understand they are a target, and understand the basic measures
they can take to mitigate these threats.
This information is provided through our Know Your Enemy
series of papers.
Information
For those who are already aware and concerned, we provide
details to better secure and defend your resources. Historically,
information about attackers has been limited to the tools they use. We
provide critical additional information, such as their motives in attacking,
how they communicate, when they attack systems and their actions after compromising
a system. We provide this service through our
Know Your Enemy whitepapers and our Scan of the
Month challenges.
Tools
For organizations interested in continuing their own research about cyber threats,
we provide the tools and techniques we have developed. We provide these through
our Tools Site.
Look for an upcoming Take5 Interview with Lance shortly.
We were chatting about the application of Honeypots within a virtualized environment and how, for detection purposes, one might integrate them into virtual environments. Lance brought up the point that the Honeynet Project already talks about the deployment of virtualized Honeypots and the excellent new book by Provos and Holz titled "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" talks about utilizing virtualization and HN’s.
I clarified that what I meant was actually integrating a HoneyPot running in a VM on a production host as part of a standardized deployment model for virtualized environments. I suggested that this would integrate into the data collection and analysis models the same was as a "regular" physical HoneyPot machine, but could utilize some of the capabilities built into the VMM/HV’s vSwitch to actually make the virtualization of a single HoneyPot across an entire collection of VM’s on a single physical host.
He seemed intrigued by this slightly different perspective.
We’ve seen some pretty interesting discussions both pro and con for production Honeypots in the last couple of weeks. First there was this excellent write up by InfoWorld’s Roger Grimes which prompted an "operational yeah, but…" from LonerVamp’s blog.
So, with the hopes that this will actually turn into a discussion, Lance said he was going to bring this up internally within the HN Project forums, but I wanted to raise it here.
I’d be very interested in discussing how folks perceive the notion of OHPC and whether you’d consider deploying one as a VM on each production virtualized host machine you put into production? If so, why. If not, why?
/Hoff
Performance. If I was looking at a honeypot on each virtualized server, then I need to make sure it's not going to impact the performance of the other guests running on the host machine.
I'm also not sure architecturally that you need a honeypot on each machine. You could probably front end the data center with a honeypot and gather similar information about who is trying to attack what without having to deploy and gather information from hundreds of honeypots.