Book review: Virtual Honeypots: From Botnet Tracking to Intrusion Detection by <i>Niels Provos, Thorsten Holz</i>

Book review: Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos, Thorsten Holz


Honeypots look like victim systems waiting or searching for malware and other nefarious attacks, registering the enemy's practices in high-resolution gory, blood-ridden detail. Virtualization allows one system to act as a network of disparate victim OS’s and services. Security experts can observe attacks live or stored for detailed analysis, learn the methodology of Dr Evil and generate statistics for internet wide attacks. Virtual Honeypots: From Botnet Tracking to Intrusion Detection written by Niles Provos and Thorsten Holz and published by Addison Wesley describes, in full, the detailed aspects of this high-tech, obscure subject area.

The book’s coverThe book’s cover

A jolly interesting read. Honeypots, especially highly interactive virtual ones, are the state of the art gizmos for the security-enhancing professional. Niels Provos and Thorsten Holz have managed to deliver, within 480 pages, a wide breadth of related information over the current state of play in the armed battle against the dark side.

A wide breadth of related information over the current state of play in the armed battle against the dark side

The contents

Honeypots pretend to be victim machines or sets of services just waiting to be plucked by various attack vectors. Honeypots come in a multitude of types and flavors: virtual honeypots, client honeypots, high interaction honeypots, low interaction etc, etc. Within 12 chapters and 480 pages, Niels Provos and Thorsten Holz’s book successfully navigates the tricky waters of this truly stealthy area of technologies.

This well thought out book covers a wide range of interconnected topics from high and low interaction honeypots to specific technologies such as VMware, User Mode Linux (UML), the free software project Honeyd, Nepenthesm Colapsar and my favorite tool (due to its learning capabilities), RolePlayer. The list of tools detailed is great and needs to be as the basis of a security expert’s effective honeynet (a network of honeypots) toolset.

Chapter 9 detecting Honeypots most clearly indicates the potential dual use of this book both by hackers and sadly also by crackers. Emulators such as VMware and low interaction tools leave clues to their existence and knowing that you are logging into a hosted OS or a tar pit potentially warn Dr Evils of their entrapment.

The most enlightening moments were the thorough description of specific attacks, the chronology and list of commands fired off, and software downloaded through such events. You really get the impression that honeypots are worth the effort to setup. However, I should warn you that doing so, especially for high interaction systems leave you open to attacks on the rest of the internet. Ethical and legal questions may arise.

The most enlightening moments were the thorough description of specific attacks

Who’s this book for?

This book is for anyone interested in defending their network or who likes to solve IT related puzzles with the most modern of technologies. Further, IT students should have a glancing knowledge of this research area.

Relevance to free software

Security is of generic importance for all good Net citizens including those involved in the free software biosphere.

Virtual Honeypots describes, where it can, numerous free software projects active in the field. Of course, the description of the use of virtualization software such as VMWare player as well as User Mode Linux is necessary and unavoidable for an honest author.

Pros

If you wish to know the current state of play and use of honeypots in their various disguises and/or the use of basic security forensics in action, this is a solid foundation.

Cons

The velocity of change in the IT security field is high. What is true today and is good practice has the potential to be incorrect in the near future. This book represents a solid framework of understanding that you will need to update regularly. Therefore, if you are a security specialist you will need to buy promptly a second and third edition as soon as the authors have published them.

Title Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Author(s) Niels Provos, Thorsten Holz
Publisher Addison Wesley Professional
ISBN 0321336323
Year 2007
Pages 480
CD included No
FS Oriented 8
Over all score 9

In short

Category: 
License: 

Author information

Alan Berg's picture

Biography

Alan Berg Bsc. MSc. PGCE, has been a lead developer at the Central Computer Services at the University of Amsterdam since 1998. In his spare time, he writes articles, book reviews and has authored three books. He has a degree, two masters and a teaching qualification. In previous incarnations, he was a technical writer, an Internet/Linux course writer, and a science teacher. He likes to get his hands dirty with the building and gluing of systems. He remains agile by playing computer games with his sons who (sadly) consistently beat him physically, mentally and morally at least twice in any given day.

You may contact him at reply.to.berg At chello.nl