Virtual Honeynet: Deploying Honeywall using VMware
Faiz Ahmad Shuja
Pakistan Honeynet Project
Last Modified: November, 2004
Virtual Honeynet is a solution that allows you to run a complete Honeynet with multiple operating systems on the same physical computer. As discussed in the paper Know Your Enemy: Virtual Honeynets, these solutions have the advantage of being easier to deploy and simpler to manage. This guide contains information to assist you in deploying a Virtual Honeynet based on Honeywall using VMware. It will walk you through a typical installation of Honeywall step by step. It is assumed that you have read and understand the papers Know Your Enemy: Virtual Honeynets, Know Your Enemy: Learning with VMware, Know Your Enemy: Honeywall CDROM.
The Honeywall CDROM combines all the tools and requirements of a GenII Honeynet gateway. The intent is to make Honeynets easier to deploy and customize. You simply boot off the CDROM, configure it based on your environment, and you should have a Honeywall gateway ready to go. The CDROM supports several configuration methods, including an interactive menu and .iso customization scripts. The CDROM is an appliance, based on a minimized and secured Linux OS.
In this paper our goal is to have a Honeywall based Virtual Honeynet on a single physical computer. We will have all virtual honeypots routed through honeywall using VMware. This guide will assist you in deploying the required Honeynet. It is broken down into three parts. In the first part we will describe how to setup VMware and install your honeypots. In the second part we will describe how to install and configure the Honeywall CDROM. In the third part we will describe how to upgrade the Honeywall setup to the latest version.
Phase 1 - Configuring VMware and Installing your Honeypots
Phase 2 - Installing and Configuring Honeywall CDROM
Phase 3 - Upgrading Honeywall CDROM
For the purpose of this paper, we are going to build our Virtual Honeynet on a server board, comprising a P4 2.4 GHz processor and 1 GB RAM. It is recommended to have a powerful system with at least PIII 800 Mhz processor with 1 GB RAM, so that your virtual honeywall  and honeypots [2 - 5] can run properly. The base operating system is Red Hat 8.0. First, we will install VMware virtualization software. Then we will install different Operating Systems for honeypots [2 - 5]. Once the OSs are installed, we will install and configure the Honeywall . It enables you to deploy, customize, and manage the Honeynet gateway easily. Our Honeywall  will be acting as a layer 2 bridged gateway which will capture and control everything to and from the Honeynet.
Above is a typical network diagram. Our Honeynet will look somewhat shown in above diagram. Components in light brown color will be running in VMware on single physical computer and components in gray color are other devices. We will configure Honeywall  virtual machine to use three network interfaces i.e. two bridge and one host-only. Honeypots [2 - 5] will be configured to use single host-only network interface. Bridge interface lets you connect your virtual machine to the network by your host computer. It connects the virtual network adapter in your virtual machine to the physical Ethernet adapter in your host computer. The host-only virtual adapter is a virtual Ethernet adapter that appears to your host operating system as a VMware Virtual Ethernet Adapter on a Windows host and as a Host-Only Interface on a Linux host. It allows you to communicate between your host computer and the virtual machines on that host computer.
There are certain requirements to make Honeywall run properly. The VMware virtual machine should have at least 256 MB memory, IDE CDROM drive, IDE hard drive, and 2 NICs. Currently Honeywall works on IDE drives only. You can configure IDE drive from Advanced Virtual Disk options in VMware. Make sure that you boot with an IDE hard drive and it has disk space more than 500 MB. Honeywall uses 500 MB disk space for swap and remaining for storing the logs.
You can reference the Honeywall CDROM Frequently Asked Questions for additional information.