Honeypots mailing list archives

Re: Planning question

From: Richard Stevens <mail () richardstevens de>
Date: Tue, 3 Jun 2003 15:33:20 +0200

Hi,

I'm going to set up a honeynet with few operating systems (Unix, Solaris,
2000, Redhat) and two types of IDSes - Snort and RealSecure. How can I
prevent an intruder from attacking other hosts from my honeypots after
compromising them? Should I set some ACLs on router or firewall?


have you read the papers published by The Honeynet Project on 
www.honeynet.org?


Especially those two:

http://www.honeynet.org/papers/honeynet/
http://www.honeynet.org/papers/gen2/

probably answer some of your questions regarding data control and attacker 
containment. 

In short (correct me if I'm wron) the first generation limited the number of 
possible connections, the second generation adds blocking of known attacks 
via an inline version of snort (snort_inline). 

Additional ACLs on your router or firewall are of course possible, too, in 
case you want to prevent access to certain systems completely or as a 
failover for your containement device. 

If you meant to ask for different information, I misunderstood your question. 
Sorry for that.

Regards,

Richard

Attachment: _bin
Description: signature

Current thread:

Planning question Piotr.Linke (Jun 03)
- Re: Planning question Rodney Green (Jun 03)
- Re: Planning question Richard Stevens (Jun 03)
- Re: Planning question Davide Del Vecchio (Jun 03)
- <Possible follow-ups>
- Re: Planning question Garrett Sinfield (Jun 03)