Honeypots mailing list archives

Re: New Paper - Redirection and Production Honeypots

From: Cedric Blancher <blancher () cartel-securite fr>
Date: Wed, 28 Apr 2004 00:30:29 +0200

Le mar 27/04/2004 à 18:56, Bob a écrit :

The paper can be viewed at:
http://www.eruditeaegis.net/papers.php
The paper focuses on how redirection technology can be used to create
a production honeypot solution that has many benefits over the current
solutions offered. The proposed solution attempts to employ more than
just the deception methodology to protect critical systems. Feedback
is welcome and appreciated. As a side note, I am looking to get this
paper published in a technical journal so any suggestions for such a
forum would also be much appreciated. Thanks.


Hi.

        I've just add a quick overview at your paper. Very interesting. Franck
Veysset (France Télécom R&D) and I, both from French Honeynet
Project[1], are working on honeypot farms, and particulary on
redirection technics for diverting trafic from production networks to a
specific, multipurpose and isolated honeynet.

        We investigated and experimented tunneling approach, with GRE links, in
order to redirect arbitrary public accessible IPs to an arbitrary
honeynet (i.e. honeypot farm) within network or elsewhere on the
Internet. We presentated this work at Eurosec2004. If our goal was to
allow a better honeypot technology integration within production
networks for warning and deception, we had a different approach from
yours that is clearly interesting. We worked on full IP redirection or
port redirection, using policy routing, for high interaction honeypots.
I find your approach very interesting (different goal than ours) and I
already see how we could implement it within our system using Linux
gateways using Netfilter, but in a slightly different way for we do not
want to alter packets in any way (so, no NAT) before they reach
honeypots.

        I think we could have a very valuable exchange. BTW, I have to wake up
early tomorrow morning and it's quite late in France, so I'll read your
paper with great attention and send you comments.


[1] http://www.frenchhoneynet.org/


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!

Current thread:

New Paper - Redirection and Production Honeypots Bob (Apr 27)
- Re: New Paper - Redirection and Production Honeypots Cedric Blancher (Apr 27)