According to the Honeynet Project and Research Alliance, a honeynet is a tool that can be used to learn about targets, and methods and tools used by intruders to attack a system. It has a network of systems that are designed to be compromised.
Conceptually, honeynets are very simple networks. These contain one or more honeypots. Since honeypots are not production systems, the honeynet itself has neither production activity nor authorised services. As a result, any interaction with a honeynet implies malicious or unauthorised activity. Any connection inbound to the honeynet is most likely a probe, scan or attack. Any unauthorised outbound connection from honeynet implies that someone has compromised the system and initiated outbound activity.
A honeynet is an architecture. This architecture creates a highly controlled network, which can control and monitor all the activity that happens within it (Fig. 1). The system administrator places target systems, or honeypots, within the architecture. In many ways, a honeynet is like a fishbowl. It is an environment where anyone can watch everything happening inside it.
Honeynets are used to build anti-virus signatures, spam signatures and filters, identify compromised systems, assist law-enforcements authorities in tracking criminals, hunt and shutdown botnets, collect and analyse malware, and detect zero-day attacks.
To successfully deploy a honeynet, it is necessary to correctly deploy the honeynet architecture. The key to the honeynet architecture is a honeywall. This is a gateway device that separates honeypots from rest of the world. Any traffic going to or from a honeypot must go through the honeywall. Gen-III honeynets implement a new data model independent of the data source—according to the paper ‘Towards A Third Generation Data Capture Architecture for Honeynets’ by Edward Balas and Camilo Viecco presented at Proceedings of the Sixth IEEE Information Assurance Workshop in June 2005.
Tracking hackers’ activities using honeynets
To monitor and track malicious activities, a system or networked environment is needed where at each place from the network to the host system every activity is gathered. Honeynets are used because no other honeypot solution can gather more information about an attacker. As a high-interaction technology, honeynets gather information not only on attacks but the attackers themselves. Honeynets can gather every information concerning the attackers, from their tools to their keystrokes.
Honeynets are not limited to a single operating system or software solution. According to the requirement, any system (software or hardware) can be placed within the honeynet architecture. Administrators can place a Linux Web server, Windows fileserver or Mac OSX desktop within a honeynet and monitor it. Honeynet architecture has very few limitations. Also, honeynets can create an actual network. A system administrator can place as many systems as he wants, creating an actual networked environment.
Fig. 1 shows where a honeywall is usually placed in the honeynet architecture. The honeywall can be considered as the main point of entry and exit for all the network traffic for all honeypots. It allows complete control and analysis of all the network traffic to and from a honeynet system.
A honeywall does not have any IP address. Hence it works in hidden mode to the Internet cloud. Most hackers want to know as much as possible about a network, mainly to figure out whether any firewall or intrusion detection system is detecting their movements. If the honeywall has an IP address, the hacker will know that there is a firewall, intrusion detection system or honeywall in front of the bait systems. In third-generation honeynet architecture, the honeywall works in a bridged environment in which a remote hacker would have no idea that traffic is passing through a honeywall.
Fig. 2 shows the various components of a honeywall
Data control. Its main purpose is to ensure that the honeywall goes un-noticed and protects rest of the Internet from compromised honeynet ‘bait’ systems. The challenge is implementing data control while minimising the chance of it getting detected by an attacker or malicious code.
Various mechanisms can be implemented to protect against a single point of failure, especially when dealing with new or unknown attacks. Also, data control should operate in a fail-closed manner. This means, if there is a failure in the administrator’s mechanisms (process dying, hard drive full, misconfigured rules), the honeynet architecture should block all the outbound activity.
Bridging. As discussed earlier, the honeynet has to be as anonymous as possible to the remote hacker. To achieve this, honeywall is kept hidden by not assigning any IP address to it.
Data capture. It is the monitoring and logging of all of the attacker’s activities within the honeynet. The captured data is then analysed to learn the tools, tactics and motives of attackers. The challenge is to capture as much data as possible without the attacker’s knowledge. It is critical to use multiple mechanisms for capturing the data.