Honeypots mailing list archives
Re: Planning question
From: Richard Stevens <mail () richardstevens de>
Date: Tue, 3 Jun 2003 15:33:20 +0200
Hi,
I'm going to set up a honeynet with few operating systems (Unix, Solaris, 2000, Redhat) and two types of IDSes - Snort and RealSecure. How can I prevent an intruder from attacking other hosts from my honeypots after compromising them? Should I set some ACLs on router or firewall?
have you read the papers published by The Honeynet Project on www.honeynet.org? Especially those two: http://www.honeynet.org/papers/honeynet/ http://www.honeynet.org/papers/gen2/ probably answer some of your questions regarding data control and attacker containment. In short (correct me if I'm wron) the first generation limited the number of possible connections, the second generation adds blocking of known attacks via an inline version of snort (snort_inline). Additional ACLs on your router or firewall are of course possible, too, in case you want to prevent access to certain systems completely or as a failover for your containement device. If you meant to ask for different information, I misunderstood your question. Sorry for that. Regards, Richard
Attachment:
_bin
Description: signature
Current thread:
- Planning question Piotr.Linke (Jun 03)
- Re: Planning question Rodney Green (Jun 03)
- Re: Planning question Richard Stevens (Jun 03)
- Re: Planning question Davide Del Vecchio (Jun 03)
- <Possible follow-ups>
- Re: Planning question Garrett Sinfield (Jun 03)