Honeypots mailing list archives

RE: Dmz single Ip

From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Mon, 3 Mar 2003 22:30:59 -0500

A suggestion would be to implement the Bait N Switch System which was just
released last monday. 

with the Bait N Switch System you can direct "hostile" traffic to your
honeypots. All other valid traffic will go where it is intended to go. So a
VALID SSH session (ie: nothing looking suspicious) it will go where intended
(to reach your firewall for example). Bait N Switch works great in 1 IP
networks.  So you have


Traffic -> Bad? --> YES --> Honeypot
               |
           --> NO -> Production Machine (your firewall).

Current setup requires iproute2, snort-1.9.0, and the bait n switch package.

[1] - http://www.snort.org/dl/snort-1.9.0.tar.gz
[2] - http://baitnswitch.sf.net &&
http://www.violating.us/projects/baitnswitch

PS: We will be upgrading Bait N Switch to work with the newly release of
snort 1.9.1 

Cheers!

--- 
Alberto Gonzalez, Intrusion Detection Engineer
EDS - Global Security Operations Center
Security and Privacy Professional Services





-----Original Message-----
From: faysspv () bellsouth net [mailto:faysspv () bellsouth net]
Sent: Monday, March 03, 2003 2:39 PM
To: honeypots () securityfocus com
Subject: Dmz single Ip


I've been kicking around the idea to setup a honeypot for some time. 
The only problem is I'm not sure how to keep my current test network
running and implementing a honeypot.  The problem is I have only one
ip address and I need to be able to access my firewall and honeypot
from the same port 22.  Any suggestions would be appreciated.

Current thread:

Dmz single Ip faysspv (Mar 03)
- Re: Dmz single Ip mike (Mar 03)
- <Possible follow-ups>
- Re: Dmz single Ip Michael Anuzis (Mar 03)
- Re: Dmz single IP mike (Mar 03)
- RE: Dmz single Ip Gonzalez, Albert (Mar 03)
- RE: Dmz single Ip Jacob Hurley (Mar 04)