I was catching up with an old friend the other day, and in chatting with Lance Spitzner, we got to talking about virtualization and Honeypots. Lance, as you no doubt already know, is one of the ringleaders of the Honeynet Project whose charter is the following:
The Honeynet Project is a non-profit (501c3) volunteer, research organization dedicated to improving the security of the Internet at no cost to the public. All of our work is released as and we are firmly committed to the ideals of OpenSource. Our goal, simply put, is to make a difference. We accomplish this goal in the following three ways.
We raise awareness of the threats and vulnerabilities that exist in the Internet today. Many individuals and organizations do not realize they are a target, nor understand who is attacking them, how, or why. We provide this information so people can better understand they are a target, and understand the basic measures they can take to mitigate these threats. This information is provided through our Know Your Enemy series of papers.
For those who are already aware and concerned, we provide details to better secure and defend your resources. Historically, information about attackers has been limited to the tools they use. We provide critical additional information, such as their motives in attacking, how they communicate, when they attack systems and their actions after compromising a system. We provide this service through our Know Your Enemy whitepapers and our Scan of the Month challenges.
For organizations interested in continuing their own research about cyber threats, we provide the tools and techniques we have developed. We provide these through our Tools Site.
Look for an upcoming Take5 Interview with Lance shortly.
We were chatting about the application of Honeypots within a virtualized environment and how, for detection purposes, one might integrate them into virtual environments. Lance brought up the point that the Honeynet Project already talks about the deployment of virtualized Honeypots and the excellent new book by Provos and Holz titled "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" talks about utilizing virtualization and HN's.
I clarified that what I meant was actually integrating a HoneyPot running in a VM on a production host as part of a standardized deployment model for virtualized environments. I suggested that this would integrate into the data collection and analysis models the same was as a "regular" physical HoneyPot machine, but could utilize some of the capabilities built into the VMM/HV's vSwitch to actually make the virtualization of a single HoneyPot across an entire collection of VM's on a single physical host.
He seemed intrigued by this slightly different perspective.
We've seen some pretty interesting discussions both pro and con for production Honeypots in the last couple of weeks. First there was this excellent write up by InfoWorld's Roger Grimes which prompted an "operational yeah, but..." from LonerVamp's blog.
So, with the hopes that this will actually turn into a discussion, Lance said he was going to bring this up internally within the HN Project forums, but I wanted to raise it here.
I'd be very interested in discussing how folks perceive the notion of OHPC and whether you'd consider deploying one as a VM on each production virtualized host machine you put into production? If so, why. If not, why?