To protect and secure communication between network services administrators are using limited set of tools. In past years these tools are less effective than they used to be because of advanced security threats. For that reason it is crucial for responsible individuals to improve methods that
are used to protect networks from attackers. This is where the honeypot and the honeynet principle steps in. It represents a modern approach, which can defend given systems more adequately.
One definition of honeypot states that a honeypot is a “security resource whose value lies in being probed,
attacked, or compromised“ [1]. Primarily honeypots are categorized by the level of interaction, purpose, role and deployment. We in this paper consider only categorization by level of interaction, namely low-level interaction honeypot and high-level interaction honeypot. The low interaction honeypot uses software emulation of network services and operating systems on the host operating system to detect an attacker. A high-interaction honeypot works differently; it permits the attacker all services on the given operating system and platform, nothing is restricted. In the approach discussed in the following text, only the
UNIX-like operating system can be used. According to W3Tech´s survey on the usage of operating systems for hosting websites [2] the UNIX-like operating system is used by 67.7\% of all the websites running on known operating systems. A honeynet is a high-involvement honeypot. It shares the same problems and takes the same risks as are characteristic for many networks in different organizations today. It is “not a single system but a network of multiple systems” [3]. The primary value of honeynet lies in analysis of data on existing threats and zero-day knowledge threats. There are some modifications made to the honeypots to the extent of the attacker not knowing it. This gives him/her a full range of operating systems, applications and functionality within them to use [4]. There are several definitions on what is virtual honeynet. One of them states virtual honeynet can be defined as “a complete honeynet, running on a single computer in a virtual environment” [4]. A virtual honeynet can also be defined as “a technology that virtually implements many different operating systems in one hardware computer, and hence instead of having a honeynet of different physically separate honeypots, all the honeypots will be virtually set in one
machine and still appear to the attacker as different separate machines” [5]. Virtual honeynets combine all the elements of a honeynet into a single physical system. Not only are all of the three requirements of data control, data capture, and data collection met, but also the actual honeypots themselves run on the single system [6]. There are different approaches to virtualization, namely full virtualization, paravirtualization and operating system level virtualization. In this paper we focus on the last mentioned approach. The kernel of an operating system allows multiple isolated userspace instances (containers). The advantage of this method lays mainly in performance due to little or even no overhead. Its disadvantage is kernel sharing of the host and guest. An operating system based on the Windows kernel cannot be run in a host operating system based on the UNIX kernel. Also, if the kernel crashes or is compromised, all containers crash or are compromised as well. In the design of the proposed system we use the implementation of the Linux container (LXC) [7]. LXC is a lightweight virtual system mechanism, which builds up from chroot system call in order to create a full-featured, reliable and secure mechanism for the separation of the processes.
A successful deployment of a virtual honeynet is ansuccessful deployment of its architecture. There are some core elements of the virtual honeynet´s architecture [3]. Data control is the first requirement whose purpose is to control and contain the activity of the attacker. Data capture monitors and logs all of the attacker’s activities within the honeynet. Data collection – in case when the organization has more than one honeynet, all data has to be captured and stored in one central location. Data analysis is an ability to analyse the data collected from the honeynet. The single most important purpose of data control is deploying a secure and safe honeynet, so that the attacker cannot compromise other, production networks. This is the
most important function and it always has to be given the highest priority when implementing a honeynet [4]. Data control cannot prevent all attacks, but it tries to mitigate the risk of the honeypot being used. There are many data control techniques, such as counting the outgoing connections of the honeypot. Honeynet and data control within should be configurable remotely by a skilled administrator at any given
time, so if a problem occurs, he or she can intervene immediately. The honeynet also has to have an automatic alerting system. Abusing the honeynet is the main problem of deploying one. For example, if the attacker takes over the honeypot, he or she may attempt to launch exploits against a no honeypot´s system (e.g. a web server). After several successful attempts, all further activity including any exploits, would be blocked. In such a case the attack is not carried out. Therefore, the concept of data control is an
essential issue. The first contribution of this paper lies in the proposed data control in a virtual honeynet. The concept of data control is not new, but our design is based on a set of both, technical and legal requirements. Joshi [6] outlines technical requirements for deployment and usage of data control in honeynets. Based on his paper we have outlined how the proposed system takes into account the eight requirements that data control needs to function properly and to reduce the risk to the minimum. Sokol [8] discusses the liability of honeynets´ administrators and outlines the honeynets´ data control, which meets the requirements of the EU law (legal requirements). According to him, the data control should contain five components including firewall, with restrict white list, dynamic connection redirection mechanism, emulated private virtual network, honeypots and control center. This control allows trained administrator of honeynet to monitor connections and quickly respond to incidents. The proposed system includes all these parts. The second contribution is the fact that the proposed data control takes into account all types of honeypots according to their interaction. This paper is organized as follows: In Section II, the paper discusses the related works in the field of data control. Section III focuses on proposed system, its design and discusses the specific parts of this system and shows how the proposed system meets technical and legal requirements. Section IV focuses on the decision algorithm, which is a sequence of control steps. Section V outlines implementation of four modules of proposed system. The last section contains conclusions and the authors´ vision of the future research.