Know Your Enemy - Learning with User-Mode Linux

Source: HoneyNet Project

Honeynets can be difficult to configure and resource intensive to deploy, requiring a variety of technologies and systems. Many users or organization that want to research Honeynets may not have the resources for deployments. Therefore, this paper will focus on building a Honeynet using a single computer and free, OpenSource software. This will be accomplished by building a Virtual Honeynet, using the OpenSource solutions User-Mode Linux (often called UML) and IPTables. The format of this is paper is a HOWTO, it will describe step by step how to build a Honeynet on a single computer and then discuss one method of deploying Honeynet Data Control and Data Capture. This paper assumes you have already read and understand the concepts in KYE: Honeynets and the paper KYE: Virtual Honeynets. This paper will not go into detail on how to deploy advance Honeynet technologies. That will come later in the futue paper Know Your Enemy: GenII Honeynet. Instead, this paper will cover in detail how to build a Honeynet testing environment using basic Honeynet technologies. If this is the first time you have ever built or deployed a Honeynet, we HIGHLY recommend that you first deploy this in a lab or test environment. You have been warned.
This paper is broken down into five parts. In the first part we will describe what UML is, how it works, and how to install and configure it. In the second part, we describe how to create a network of multiple systems on your single computer, including all network issues. In the third part we describe how to implement Data Control on your UML Honeynet using IPTables. In the fourth part we describe how to implement Data Capture using Snort. Finally, in the fifth part, we describe how to test your setup.