The honey virtual validation victim.

["Gentile, Rob" <RGentile () ChristianaCare org>]

Hi, Niels.

I want to recognize your efforts, and perhaps to mention a way to use honeyd
that others may not have considered: a deliberately fully open 'virtual
validation victim' pc to validate a firewall's performance for audit
purposes.


As an IT auditor, I can't assume that the firewall works as advertised.
Rules are 'goals', but the proof is in what gets though, and what does not.
I need proof. Honeyd made obtaining that proof (with appropriate management
approval) possible.


I had a particular use of honeyd in mind: I wanted to use honeyd to validate
our firewall rule set and the firewall software.


First, I setup what I called a "virtual validation victim" pc, with all
ports open. It was a honeyd simulated host.
Second, Swatch was setup to email me upon any 'connect' attempts seen by
honeyd.
Finally, I nmap probed all the ports of the virtual victim pc external to
the firewall. 

Results: I could see what traffic made it through. I did not have to 'trust'
that the firewall actually behaved as the rules said it SHOULD. 


I just want to thank you for writing honeyd, and most of all, maintaining
this program. 
Honeyd (combined with nmap and swatch) made it easy, but more importantly,
It enabled verification that the firewall code worked. 




Thanks. Thanks.

Oh, and  Thanks.


Rob

Rob Gentile, Senior IT Auditor and Security Specialist
(302) 623-7468

"Happiness equals reality minus expectations" - Tom Magliozzi