• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 587
  • Last Modified:

Honeypot question

I have been looking into setting up a honeynet or darknet in a dmz network and i have some questions...

A hacker would effectively have to be inside the dmz to mess with this honeypot host correct? Otherwise i don't see how anyone could communicate with it, as the firewall only permits a port to a web server.. so, do I forward all my unused public IP's at the honeypot? or is it supposed to be an in-line device?
2 Solutions
how is your network set up?have you a router and a firewall set up?anyways no connections from inside hosts should be allowed to the dmz and as you said only the ports needed should be opened
jaysonfranklinAuthor Commented:
the network is set up like this:


we are going to be getting an edge router soon... DMZ is not allowed to access the inside. Inside can access the DMZ and there is only 1 port open from the outside which is only allowed \ forwarded to the DMZ svr.
No matter which port you forward, if there is even one the hackers will find a way to exploit. There are many standard known exploits for a windows IIS server that any hacker can use to take over the server.
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

jaysonfranklinAuthor Commented:
i understand that... so whats the best practice for a honeypot?  I mean, the one port is forwarded at the websvr, but i was gonna forward the rest of the unused public ip's to the honeypot. I'm just confused on how the honeypot would help if I didn't do that?
here's a bunch of honeypot tools you can use: http://www.networkintrusion.co.uk/honeypots.htm
jaysonfranklinAuthor Commented:
a bunch of those on that site i have been testing.. all the windows stuff anyway.

So, Lrmoore, or any other expert, hypothetically, if a person had a web port open for a web server to a dmz, and a honey pot in the dmz....the only way the honeypot can help you is if the web server is already compromised? I thought the purpose of it was to distract it from the 'actual' web server. so i was just wondering how to do that, so that they find the Hpot first before they find the real server. it seems if you were only permitting one port to go to one place, that is the first place the hacker is going try to exploit, so if they found the honeypot first, and they 'played' with it, it will act as an early warning system that someone is trying to poke their head into the network. thats why i ask, it seems that the only way to do that, is to permit  some stuff to go to the honeypot too. I dont know, ive never set one up so im just wondering now it works, the documentation on all the different kinds of honeypots is great, but none really give any insight into topology configuration. thats all im wondering about.. it almost seems that you would need an external and internal dmz and keep your web server on the internal dmz. and honeypot on the external dmz- such as right behind your edge router. thanks again for all the help.
jaysonfranklinAuthor Commented:
okay okay.... i guess thats all the info im getting on this one...

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now