Re: Honeynet Requirements

[Richard Stevens <mail () richardstevens de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Chuck,


On Sunday 16 May 2004 01:14, Chuck Fullerton wrote:
> I am in the planning stages of a Honeynet project for my company.  I have a
> question that, so far, I haven't been able to find an answer.
>
> Using the diagram from the Honeynet Paper from www.honeynet.org, when you
> add honeypots to your honeynet,  how closely must they mirror the
> production machines?
>
> Any advice is appreciated.

this highly depends on your goals. If you simply want to use your honeynet to 
see what's out there and what might hit your production systems, a fair 
resemblance might be enough. If your goal is to lure people to your honeypots 
and have them believe they hit the real thing, much more deception, read 
similarity, is needed. 

You won't fool experienced hackers for long with a honeypot that is obviously 
not a production system. Once a pot gets hacked, the more experienced types 
will notice the lack of traffic or other oddities and probably leave. 

In short, there is no simple answer to your question. If you are not yet 
experienced in setting up honeypots/honeynets I'd suggest you start with a 
simple setup and get used to it. Really simulating production systems is not 
only very difficult but also quite a bit of work.

Hope that helped a little even though I couldn't really answer your question.

Regards,

Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAp0mACfA4EwqVdIQRAuFRAJ9D1JZgjh9m/YmM6LmMhaPDzfLrIQCgzZOa
AJA1mI6uLNSdzRLwtvPFFrE=
=j64f
-----END PGP SIGNATURE-----