Honeypots mailing list archives
The honey virtual validation victim.
From: "Gentile, Rob" <RGentile () ChristianaCare org>
Date: Fri, 22 Apr 2005 09:16:43 -0400
Hi, Niels. I want to recognize your efforts, and perhaps to mention a way to use honeyd that others may not have considered: a deliberately fully open 'virtual validation victim' pc to validate a firewall's performance for audit purposes. As an IT auditor, I can't assume that the firewall works as advertised. Rules are 'goals', but the proof is in what gets though, and what does not. I need proof. Honeyd made obtaining that proof (with appropriate management approval) possible. I had a particular use of honeyd in mind: I wanted to use honeyd to validate our firewall rule set and the firewall software. First, I setup what I called a "virtual validation victim" pc, with all ports open. It was a honeyd simulated host. Second, Swatch was setup to email me upon any 'connect' attempts seen by honeyd. Finally, I nmap probed all the ports of the virtual victim pc external to the firewall. Results: I could see what traffic made it through. I did not have to 'trust' that the firewall actually behaved as the rules said it SHOULD. I just want to thank you for writing honeyd, and most of all, maintaining this program. Honeyd (combined with nmap and swatch) made it easy, but more importantly, It enabled verification that the firewall code worked. Thanks. Thanks. Oh, and Thanks. Rob Rob Gentile, Senior IT Auditor and Security Specialist (302) 623-7468 "Happiness equals reality minus expectations" - Tom Magliozzi
Current thread:
- The honey virtual validation victim. Gentile, Rob (Apr 22)
- RE: The honey virtual validation victim. M. Shirk (Apr 28)