#fakap community speaks

Secure Ethernet Bridge over TCP/IP

The main goal of this tool is to act as a completely Secure Ethernet Bridge over TCP/IP, tunneling in a transparent, safe and easy way, network traffic to a remote location without the need of any kernel patches or modules, or even the need to hide routing in the honeypots.

It can be used to easily deploy honeypot farms of distributed honeypots, transporting network traffic to a central honeypot architecture where data collection and analysis will be done. It can also be used as a very simple and efficient VPN (Virtual Private Network) for any other purposes.

• What is HoneyMole's value to me?

Deploying traditional honeypots and honeynets can be a problem if you have in mind that every honeypot you deploy means more work and resources required to maintain and analyze everything it collects. In the other hand the more honeypots you deploy, the more valid information you can collect.

Honeypot Farms are one way to solve this problem. A honeypot farm is nothing more then a several honeypots located in a single location. You then place redirectors anywhere you want in the world. The redirectors are nothing more then 'virtual honeypots' that redirect traffic to the honeypot farm.

People when attacking one of those systems think they are interacting with a system (your virtual honeypot) in Portugal, United States or United Kingdom, yet in reality all of their activity is being redirected to your single collection of honeypots. The redirectors make it very easy to virtually deploy lots of honeypots all over the place, but you only have to maintain a small number of real honeypots in a single location.

As presented by Edward Balas in chapter 7 of “Know Your Enemy, 2nd Edition”, Honeypot Farms are used as a way of virtually distributing honeypots, transporting IP packets from remote locations to the physical honeypots. It aims to reduce cost, deployment time and analysis time.

Advantages of Honeypot Farms

- Honeynets can be deployed with in a very short amount of time;

- Forensic analysis can be done faster;

- Honeypot farms can be used to protect production servers (hot-zoning);

- Participant networks don’t need to configure or monitor the honeypots.

Disadvantages of Honeypot Farms

- Geographic unrelated positions cause anomalies in network latency;

- Honeypot farms use routing rather than bridge, so they are complex to configure and require good network knowledge to operate properly;

- This technology is fair new, there are no tools to help automate the configuration and operation of the infrastructures.

HoneyMole is the result of the work we have decided to embrace on simplifying the Honeypot Farm concept and the necessary traffic tunneling.

Our aim was to use bridging rather than routing for transporting the traffic from remote locations to our honeypots on the farm and at the same time to reduce all the previously identified disadvanges except the network latencey.

• What technologies it uses?

Honeymole is developed in C using Libpcap, Libnet and OpenSSL libraries.

• What about performance?

The performance it is fairly good. It is being used for some months in production environments without any problem. Since libpcap uses BPF (Berkeley Packet Filter), it is possible to apply filter rules on both directions in order to reduce the traffic in the tunnel to the operational needs.

• What about security?

Honeymole authentication and encryption uses OpenSSL. Some scripts are available to generate all the necessary certificates for the CA (Certificate Authority), used in the communication between the server and client.

• What operating systems are supported?

At the moment Honeymole works fine on Linux, OpenBSD, FreeBSD, NetBSD, Solaris and Mac OS X. Since it is based on Libpcap, Libnet and OpenSSL, it should be easy to port it to Microsoft Windows also.

http://www.honeynet-pt.org/index.php/HoneyMole