Overview of Honeynet Technology Based on SDN

The development of cloud computing and virtualization technology has made it possible for the honeynet system to evolve from a traditional hardware honeynet to a dynamic and flexible virtualized honeynet. The SDN (Software Defined Networking) architecture separates the control plane of the network from the data plane, and can flexibly implement traffic scheduling through a logically centralized network controller. Combining virtualization and SDN to design and implement honeynets has played a significant role in promoting attack deception and protection forensics for business systems, especially business systems in virtualized environments.

This article first starts with the concepts of traditional honeypots, honeynets, distributed honeypots, distributed honeynets, honeyfields, etc., and then introduces how to implement virtualized honeynets based on virtualization and SDN. Finally, it analyzes and explains some of the current work done by academia and industry on virtualized honeynets.

[[202778]]

1. Background

The information security issue is ultimately a game of war between attackers and defenders, and in this war, the defenders are usually in a passive and disadvantageous position. As the saying goes, "I am not afraid of thieves stealing, I am afraid of thieves thinking about it." This is similar to the saying. As a defender, you must ensure that there are no loopholes in the system that can be exploited by attackers, and have a 24-hour monitoring and defense mechanism to ensure the security of the system. As for the attacker, you can attack the target system at any time and in any situation as long as you find that the target system has conditions that can be attacked.

In the face of such an attack and defense game, the typical and most common defense measure is usually to carry out security repairs according to the different parts where the threat originates after the threat/vulnerability is discovered. This is more of a "make up for the loss" and post-event remediation mechanism.

Honeypot is an active defense technology proposed by the defender to reverse this asymmetric situation. Honeypot is defined as a type of security resource. It has no business use, and its value is to attract the attacker to use it illegally. Honeypot technology is essentially a technology to deceive the attacker. By placing some hosts, network services or information as bait, the attacker is lured to attack them, so that the attack behavior can be captured and analyzed, so that the defender can clearly understand the security threats they face, and enhance the security protection capabilities of the actual system through technical and management means.

Honeynet is a new concept gradually developed from honeypot technology, sometimes also called a trapping network. When multiple honeypots are connected together by the network, they form a large fake business system, using some of the hosts to attract attackers to invade. By monitoring the invasion process, on the one hand, the attacker's attack behavior is collected, and on the other hand, the corresponding security protection strategy can be updated. This simulated network composed of multiple honeypots is called a honeynet.

Honeynet is mainly a research-based high-interaction honeypot technology. Since honeynet involves the design of network architecture between multiple honeypots, and in order to improve high interactivity, there will be some real business logic, so the design of honeynet is much more complicated than honeypot. Honeynet design has three core requirements: network control, behavior capture and behavior analysis. Network control can ensure that attackers cannot use honeynets to endanger the security of normal business systems, thereby reducing the risk of setting up honeynets; behavior capture technology can detect and audit all behavioral data of attackers; and behavior analysis technology helps security researchers analyze the specific activities of the attacker from the captured data.

In order to overcome the weakness of the limited monitoring range of traditional honeypot technology, the concepts of distributed honeypot and distributed honeynet appeared around 2003. The distributed honeynet system can summarize and analyze the data captured by honeynets deployed in different locations. Distributed honeypots/honeynets can be deployed at multiple locations on the Internet, effectively improving the coverage of security threat monitoring and overcoming the shortcomings of the narrow monitoring range of traditional honeypots. Therefore, it has become a common deployment mode for the security industry to use honeypot technology to build an Internet security threat monitoring system.

In the current security attack and defense field, the development of honeypot and honeynet technology has enabled us to deploy a honeynet and analyze the attacker's attack events. However, the honeynet infrastructure that is widely accepted and deployed at this stage is mainly deployed in the form of hardware servers. On the one hand, it is difficult to dynamically adjust the honeynet structure according to the attack behavior. On the other hand, a large amount of physical infrastructure is used to deploy and operate the honeynet system, and the security protection cost is high.

With the continuous development of virtualization technology, especially the continuous maturity of SDN/NFV technology in recent years, can virtualization technology be used to implement the honeynet system? Can security protection be achieved through the honeynet system in the SDN/NFV environment? The answer is of course yes.

2. Overview of SDN Honeynet

SDN honeynet mainly refers to the security protection of business systems in SDN networks through honeypot/honeynet technology. As we all know, SDN networks can be understood as a centrally controlled network. Through the logically centralized control plane, on the one hand, global network information can be obtained, and on the other hand, specific traffic can be flexibly scheduled. In this way, combined with virtualization technology, after the threat is discovered, the corresponding honeynet system can be dynamically generated. At the same time, the SDN controller can be used to schedule abnormal traffic to the virtualized honeynet system to complete the tracking, evidence collection and security protection of abnormal behavior. As shown in the figure below, it is a simple logical diagram of the virtualized honeynet protection system based on the SDN network. The advantage of this SDN honeynet is that it effectively solves the problems mentioned above, such as the inflexible deployment structure and high infrastructure cost of the traditional honeynet.

Logical diagram of virtualized honeynet based on SDN

At present, the virtualized honeynet system based on SDN usually includes the following parts: intrusion detection module, honeynet management module and traffic scheduling module. The intrusion detection module performs mirror detection on all traffic accessing the business system to find abnormal traffic with security threats and then determine the information of suspected attackers. When abnormal traffic is found, the honeynet management module will dynamically generate the corresponding honeynet system based on the information of abnormal access and complete the configuration of the honeynet network. Next, the traffic scheduling module will schedule the abnormal traffic to the honeynet system to complete the corresponding attack detection, evidence collection, protection and other tasks.

Next, this article will combine some technical solutions from academia and industry to analyze in detail how to design and build a virtualized honeynet system based on SDN.

3. Implementation plan

In recent years, the dynamic honeynet system based on SDN and virtualization technology has been widely recognized in academia and industry due to its flexible implementation. This section will analyze and compare several typical implementation schemes in detail.

Reference [2] proposed a honeynet security protection system for SDN networks. The system mainly includes a network intrusion detection module, a honeynet management module, and an SDN controller cluster management module. The network intrusion detection module performs intrusion detection on traffic entering the organization; the honeynet management module is responsible for the creation of the honeynet, traffic forwarding rules, and honeynet database maintenance. The SDN controller cluster coordinates and manages the communication of multiple SDN controllers in the entire system. The following figure shows a simple architecture diagram of the entire system.

The main workflow is: first, configure traffic mirroring on the edge SDN switch of the entire business system network, and transmit all traffic accessing the business system to the intrusion detection system through port mirroring. If the intrusion detection system determines that there is no abnormality in the traffic, it will be forwarded normally; if an abnormality is found, it will be classified according to the security threat level, and the attack type will be identified, and the attack type, characteristics, and security threat level will be notified to the honeynet management module.

Based on this information, the honeynet management module refers to the honeynet model database, calculates the corresponding honeynet network architecture, and then creates a virtualized honeynet; at the same time, it transmits the corresponding traffic scheduling strategy to the SDN controller, and the controller sends the traffic matching rules to the SDN switch to complete the entire abnormal traffic scheduling work.

This approach cleverly combines the advantages of virtualization and SDN, and is a typical SDN-based virtualized honeynet protection design idea.

Reference [3] also combines computing virtualization and network virtualization technologies to implement a fully virtualized honeypot host and a dynamically adjustable and scalable dynamic virtual honeynet system, and proposes the concept of superimposed virtual honeynet.

Its overall architecture mainly includes the business network, the honey wall based on the OpenFlow switch, and the virtual honeypot system. The intrusion detection and traffic analysis system is deployed in the business network. When attack traffic is detected, the controller is notified; after receiving the traffic forwarding request, the Floodlight controller generates a traffic control command and transmits it to the OpenFlow switch through the controller; the OpenFlow switch parses the traffic control command and forwards the attack traffic to the virtual honeypot system according to the request content; the virtual honeypot system performs transmission control according to the current system load and imports different service traffic into different service clusters; the honeynet system collects and analyzes attack traffic, and records information such as attack behavior, attack source and attack log to complete the honeynet work. From this overall idea, this work is actually very similar to the idea of ​​reference [2]. Let's take a look at its detailed workflow.

The specific workflow is shown in the figure below. When an external request enters the OpenFlow switch, the switch identifies and parses the flow through flow information (protocol, port, etc.). The forwarding policy control module creates forwarding rules based on the current service deployment (such as the flow of HTTP requests entering the HTTP service system), modifies the destination MAC address and destination IP address of the data packet in the flow while forwarding, and pushes these rules to the OpenFlow switch. The service flow enters the corresponding service system for corresponding processing. After the data packet responded by the service system arrives at the OpenFlow switch, the source MAC and source IP are modified according to the flow table rules, and finally merged and returned to the attacker. This completes the implementation process of the virtual honeypot.

The author also mentioned the concept of a superimposed virtual honeynet. The so-called superimposed honeynet is to achieve the effect of superimposed network by setting rules for OpenFlow switches to realize network segmentation, that is, to present different honeynet systems. In this way, the honeynet systems of different segments can achieve the purpose of mutual isolation.

Compared with reference [2], this implementation method has the following differences: (1) When processing abnormal traffic and dispatching it to the honeynet system, this solution adopts the method of modifying the destination IP and destination MAC of the data packet, while reference [2] directly implements it by setting the output port of the flow table. From the attacker's perspective, the honeynet system of this solution is more concealed; (2) When generating the virtual honeynet system of this solution, only the application protocol is considered. For example, if the abnormal traffic is an HTTP request, it will be dispatched to a virtual HTTP honeypot service; it does not take into account the interaction logic of the real business system, while reference [2] considers this aspect relatively comprehensively.

Reference [4] proposes a virtual machine-based elastic attack prevention method, which is mainly used in the network security field of cloud computing systems. Usually, the hosts of cloud computing systems are mounted on a virtual switching device, such as OVS (Open vSwitch). The forwarding rules of this OVS are formulated by the SDN controller based on a pre-set whitelist.

When the attacker's data packet passes through the OVS switch, it will send a packet_in event request to the SDN controller. The controller queries the access control whitelist to confirm whether the access is legal; at the same time, it will perform an exception analysis on the data packet that meets the whitelist to determine whether it is attack traffic. If so, it will delete the corresponding rule in its whitelist and clone a pre-configured honeynet virtual machine. Finally, the controller generates a flow table that directs the attack traffic to the newly generated virtual machine and sends it to the corresponding OVS switch.

We found that this solution is different from the previous two in terms of design and implementation. First of all, this solution first determines a major premise, that is, in the cloud computing system, the cloud computing system is different from the traditional data center in terms of network architecture and traffic characteristics. Then, based on this premise, this solution does not use an independent intrusion detection system to perform anomaly detection on all access traffic, but implements this function in the SDN network controller, and only performs anomaly detection on the flow that meets its preset whitelist. Finally, once this solution finds traffic anomalies, it will delete the corresponding rules in the whitelist while dispatching it to the honeynet system. In other words, the subsequent flow establishment requests initiated by the abnormal source host will be ignored, realizing the isolation of the abnormal host.

Reference [5] proposed a cloud platform information security attack and defense architecture using virtualized honeynet technology. Reference [6] also implemented a cloud computing system security control method by combining an intrusion detection system with a virtual honeypot system.

From the above solutions, it can be seen that the overall design concept of the virtualized honeynet system based on SDN is not much different. It’s just that different solutions are aimed at different application scenarios, and there will be slight differences in the implementation details.

4. Conclusion

This article starts with the traditional concepts of honeypot, honeynet, distributed honeypot, and distributed honeynet, and introduces a way of thinking about how to achieve active security defense in the case of asymmetric attack and defense games using honeypot and honeynet technologies. It then introduces how to implement an SDN honeynet system based on SDN networks and combined with virtualization technology, and introduces several typical SDN honeynet system implementation solutions, comparing the similarities and differences of several implementation methods.

In recent years, cloud computing has gradually been accepted by people, and the security issues of cloud services have also attracted more and more attention. From the above implementation solutions, it can be seen that the SDN-based virtualized honeynet system can be perfectly deployed in the cloud computing system, which is of great significance for the detection, evidence collection and protection of abnormal attacks.