Virtual honeynets revisited

A new user-mode Linux based virtual honeynet architecture is presented in this paper. The new architecture has improved functionality that is difficult to realize in the GenII honeynet. Two new honeynet capabilities in particular are introduced. Honeypot controller is a new virtual honeynet component that assists in data control. The honeywall promises to have finer control over the honeypots through signal and system call redirections. The second new capability is the disk imager. The disk imager is capable of making forensic images of the virtual machine's file systems for further analysis. Since security for virtual honeynets is a big concern, the new virtual honeynet architecture utilizes security enhanced Linux to isolate the untrusted honeypots from the completely trusted honeywall. SELinux and other research work done in this field made the new honeynet architecture a viable alternative to GenII honeynets. A file system logging mechanism, FSLog, has been developed for the UML based virtual honeynet. In conjunction with the built-in tty logger, UML based honeynets have logging capabilities that are equivalent to their GenII honeynet counterparts. The current version of FSLog successfully logs eighteen virtual file systems system calls including the common, read(), write(), open() and close() functions. Its current functionality and how it pieces into the new architecture is also discussed. This work provides researchers with an alternative honeynet platform. The new virtual honeynet architecture is more portable, easier to setup, more cost effective and as secure as the GenII honeynet. The addition of the honeypot controller and disk imager components also makes the new virtual honeynet architecture more capable.