Use of VNUML in Virtual Honeynets Deployment Ferm´ ın Gal´ an M´ arquez 1 and David Fern´ andez Cambronero 2 1 Centre Tecnol` ogic de Telecomunicacions de Catalunya (CTTC) Parc Mediterrani de la Tecnologia Av. Canal Ol´ ımpic s/n, 08860 Castelldefels, Spain fermin.galan@cttc.es 2 Departamento de Ingenier´ ıa de Sistemas Telem´ aticos (DIT) Universidad Polit´ ecnica de Madrid (UPM) Escuela T´ ecnica Superior de Ingenieros de Telecomunicaci´ on Av. Complutense s/n, 28040 Madrid, Spain david@dit.upm.es Resumen A honeynet is a security tool whose purpose is to study the techniques and motivations of attackers when breaking into secured sys- tems. It implements an exposed computers network (composed of servers, clients, switches, etc.) in order to be scanned, attacked and compromised by crackers worldwide on the Internet. It records and monitors the be- haviours of the intruders for later analysis and study. Several deployment alternatives are based on virtualization software, configuring a “virtual honeynet”, with significant advantages in infrastructure and management cost, compared with the implementation using real equipment. After a brief introduction to honeynet concepts, architectures and related tools, this paper focuses on the use of VNUML (Virtual User Mode Linux) for honeynet deployment. VNUML is a free-software general purpose tool for network scenarios emulation, highly flexible and configurable. The advantages of this approach are discussed, showing a practical example of virtual honeynet architecture and VNUML configuration. 1. Introduction Nowadays, Internet has become a potential insecure environment. It was designed in the 60s as an open network of networks with little or none security considerations in mind. The openness and freedom have allowed an impressive exponential growing in the number of system connected during the past two decades. However, currently companies and organizations with presence on the Internet have to face several risks (for example, deletion or corruption of data, theft of sensitive information or damage to the corporative image) coming from the crackers connected to the Net worldwide. Although during the past years security mechanisms have been developed in order to avoid or reduce these risks (like cryptographic techniques or firewalls), the techniques and motivations of attackers are continuously evolving. Formerly,