Virtual Honeynet: Deploying Honeywall using VMware
Last Modified:November, 2005
|
|
Introduction
Virtual Honeynet is a solution that allows you to run a complete Honeynet with multiple operating systems on the same physical computer. As discussed in the paper Know Your Enemy: Virtual Honeynets, these solutions have the advantage of being easier to deploy and simpler to manage. This guide contains information to assist you in deploying a Virtual Honeynet based on Honeywall using VMware. It will walk you through a typical installation of Honeywall step by step. It is assumed that you have read and understand the papers Know Your Enemy: Virtual Honeynets, Know Your Enemy: Learning with VMware, Know Your Enemy: Honeywall CDROM.
In 2003, the first Honeywall CDROM Eeyore was released. The intent was to make Honeynets easier to deploy and customize. You simply boot off the CDROM, configure it based on your environment, and you should have a Honeywall gateway ready to go. It supported several configuration methods but had several weaknesses as well. In 2005, the new Honeywall CDROM Roo was released with radical new improvements, which combined all the tools and requirements of a GenIII Honeynet Technology. It contains the core GenII Data Control and Data Capture functionality with newly added remote GUI administration, Data Analysis integration, support for the Sebek 3.x branch, robust OS base, automated updating, and much more.
Overview
In this paper our goal is to have a Honeywall based Virtual Honeynet on a single physical computer. We will have all virtual honeypots routed through honeywall using VMware. This guide will assist you in deploying the required Honeynet. We will describe how to setup VMware and install your honeypots and secondly we will describe how to install and configure the Honeywall CDROM.
Phase 1 - Installing and Configuring VMware and Honeypots
Phase 2 - Installing and Configuring Honeywall CDROM
For the purpose of this paper, we are going to build our Virtual Honeynet on a server machine, comprising a P4 2.4 GHz processor and 1 GB RAM. It is recommended to have a powerful system with at least P4 1.4 GHz processor with 1 GB RAM, so that your virtual Honeywall [1] and Honeypots [3 & 4] can run properly. The base operating system is Fedora Core 4. First, we will install VMware virtualization software. Then we will install different Operating Systems for Honeypots [3 & 4]. Once the OSs are installed, we will install and configure the Honeywall [1]. It enables you to deploy, customize, and manage the Honeynet gateway easily. Our Honeywall [1] will be acting as a layer 2 bridged gateway which will capture and control everything to and from the Honeynet. In phase 3, we will install the Attacker [5] virtual machine to test our Honeynet setup.
Above is a typical network diagram. Our Honeynet will look somewhat shown in above diagram. Components in light brown color will be running in VMware on single physical computer and components in gray color are other devices. We will configure Honeywall [1] virtual machine to use three network interfaces i.e. two bridge and one host-only. Honeypots [3 & 4] will be configured to use single host-only network interface and Attacker [5] will use bridge interface. Bridge interface lets you connect your virtual machine to the network by your host computer. It connects the virtual network adapter in your virtual machine to the physical Ethernet adapter in your host computer. The host-only virtual adapter is a virtual Ethernet adapter that appears to your host operating system as a VMware Virtual Ethernet Adapter on a Windows host and as a Host-Only Interface on a Linux host. It allows you to communicate between your host computer and the virtual machines on that host computer.
You can reference the
Honeywall CDROM
User's Manual for additional information.
|
|
|
Page 1 |