Re: Planning question

["Davide Del Vecchio" <dante () alighieri org>]

The honeynet should be placed in a different network
from other boxes or in an other DMZ. 

You could use the AngeL Linux kernel module too, in order
to prevent some kind of attacks from that host.
http://www.sikurezza.org:8000/angel/ for more informations. 

Consider that if the "attacker" notice that he is in a honeypot/net,
the data that you will get will be "compromised".
So less you modify the host to be compromised, and more will be
the possibilities to get good results.
So my advice is surely to set up ACLs and special rules JUST on routers
and firewalls that limits your honeynet, in this way you will have
an honeynet with "clean" hosts, really more difficult to result as. 

Davide Del Vecchio, Dante Alighieri ~ www.alighieri.org ~ 
dante () alighieri org 

Piotr.Linke () nokia com Writes: 

> Hi all! 
>
> I'm going to set up a honeynet with few operating systems (Unix, Solaris, 2000, Redhat) and two types of IDSes - Snort and RealSecure. How can I prevent an intruder from attacking other hosts from my honeypots after compromising them? Should I set some ACLs on router or firewall? 
>
> Please advise, 
>
> Piotr.