jaysonfranklin
asked on
Honeypot question
I have been looking into setting up a honeynet or darknet in a dmz network and i have some questions...
A hacker would effectively have to be inside the dmz to mess with this honeypot host correct? Otherwise i don't see how anyone could communicate with it, as the firewall only permits a port to a web server.. so, do I forward all my unused public IP's at the honeypot? or is it supposed to be an in-line device?
A hacker would effectively have to be inside the dmz to mess with this honeypot host correct? Otherwise i don't see how anyone could communicate with it, as the firewall only permits a port to a web server.. so, do I forward all my unused public IP's at the honeypot? or is it supposed to be an in-line device?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i understand that... so whats the best practice for a honeypot? I mean, the one port is forwarded at the websvr, but i was gonna forward the rest of the unused public ip's to the honeypot. I'm just confused on how the honeypot would help if I didn't do that?
here's a bunch of honeypot tools you can use: http://www.networkintrusion.co.uk/honeypots.htm
ASKER
a bunch of those on that site i have been testing.. all the windows stuff anyway.
So, Lrmoore, or any other expert, hypothetically, if a person had a web port open for a web server to a dmz, and a honey pot in the dmz....the only way the honeypot can help you is if the web server is already compromised? I thought the purpose of it was to distract it from the 'actual' web server. so i was just wondering how to do that, so that they find the Hpot first before they find the real server. it seems if you were only permitting one port to go to one place, that is the first place the hacker is going try to exploit, so if they found the honeypot first, and they 'played' with it, it will act as an early warning system that someone is trying to poke their head into the network. thats why i ask, it seems that the only way to do that, is to permit some stuff to go to the honeypot too. I dont know, ive never set one up so im just wondering now it works, the documentation on all the different kinds of honeypots is great, but none really give any insight into topology configuration. thats all im wondering about.. it almost seems that you would need an external and internal dmz and keep your web server on the internal dmz. and honeypot on the external dmz- such as right behind your edge router. thanks again for all the help.
So, Lrmoore, or any other expert, hypothetically, if a person had a web port open for a web server to a dmz, and a honey pot in the dmz....the only way the honeypot can help you is if the web server is already compromised? I thought the purpose of it was to distract it from the 'actual' web server. so i was just wondering how to do that, so that they find the Hpot first before they find the real server. it seems if you were only permitting one port to go to one place, that is the first place the hacker is going try to exploit, so if they found the honeypot first, and they 'played' with it, it will act as an early warning system that someone is trying to poke their head into the network. thats why i ask, it seems that the only way to do that, is to permit some stuff to go to the honeypot too. I dont know, ive never set one up so im just wondering now it works, the documentation on all the different kinds of honeypots is great, but none really give any insight into topology configuration. thats all im wondering about.. it almost seems that you would need an external and internal dmz and keep your web server on the internal dmz. and honeypot on the external dmz- such as right behind your edge router. thanks again for all the help.
ASKER
okay okay.... i guess thats all the info im getting on this one...
ASKER
DMZ
^
outside>Pix>Inside
we are going to be getting an edge router soon... DMZ is not allowed to access the inside. Inside can access the DMZ and there is only 1 port open from the outside which is only allowed \ forwarded to the DMZ svr.