The Honeynet.BR Project
As part of its ongoing research activities in Information Systems Security, the Brazilian National Institute for Space Research (INPE) together with the CERT.br have implemented a research honeynet (Honeynet.BR) to collaborate with the international effort of intelligence gathering on the activities of the blackhat community.
The Honeynet.BR is a member of the Honeynet Research Alliance since June, 2002.
Honeynet.BR is an active honeytrap. It has been setup as a teaching and research laboratory for the Information Systems Security track of INPE's Applied Computer Science graduate course.
Honeynet.BR network architecture is shown here. It is basically a Honeynet GenII with some modifications. The network is composed of an administrative network and the honeynet itself. A short description of each part is given below.
This network is comprised of three main components:
A program was developed to limit intruder activity by interacting with pf to dinamically change the firewall rules. This program, called sessionlimit, monitors the outgoing traffic in order to detect and stop malicious activity, such as portscans, originated from the honeynet.
The IDS operates with two network interfaces, one connected to the administrative network and the other to the honeynet. The latter is capturing all traffic and does not have an IP address. This machine also generates alerts and mail daily summaries to all members.
The computacional forensics machine is used to store and analyse partition images from the honeynet machines and tools left behind by intruders.
The honeynet is composed of several machines running different operating systems and services. It has remote logging facilities and all traffic internal to the honeynet is captured by the IDS.
Generally, honeytraps are divided into two categories: passive and active.
Passive honeytraps are low interaction systems that allows only very limited interaction and no access to the systems. Examples of these type of honeytraps are NFR's Back Officer Friendly, Deception Toolkit, Specter and more recently Honeyd.
This type of honeytrap is very useful to detect attacks trends, do scans statistics, serve as an early warning or alarm system and detect unauthorized inside activities in production environment.
Active honeytraps usually allows full interaction between the attacker and hosts. The hosts can be connected to a LAN, this is the case of the honeynets, or they can be emulated in a single system (virtual honeynets). In the latter, one can make use of applications like VMware, UML (User-Mode-Linux) or Decoy Server (formerly ManTrap).
Honeynets allow us to observe the actions and techniques of attackers and capture tools used by the blackhat community. As an added bonus, in some circunstances, it allow us to monitor chats which help us to better understand their motivation and psychological profiles.