[Snort-users] IDS and HoneyPot placement in LAN

Matt Olney molney at ...1935...
Wed Jun 16 11:40:04 EDT 2010


er...

you need that HoneyPot completely, utterly separated from any other
portion of your network.  Use more specific routes to make it >look<
like its in a certain place, but you need to ensure that there is no
chance that box will either act as a platform to further attacks
within your network or act as a platform for attacks out to other
organizations.  From the Snort side, either span only the VLAN with
the honeypot on it or use a BPF to restrict capture to just the IP of
the honey pot.

On Wed, Jun 16, 2010 at 11:26 AM, Quentin Ducas <quentin.h4c at ...11827...> wrote:
> I apologize for the newbie question, but what is the best placement for the
> IDS and the HoneyPot in the LAN?
>
> I want to monitor a HoneyPot with the IDS (snort) [u]without[/u] monitoring
> the complete LAN. Want to monitor just one machine.
> What should be the best placement for HoneyPot and IDS for this situation.
> The HoneyPot is a so called 'research-honeypot' so it is not used for
> security-reasons.
>
> Do I have to place the HoneyPot and the IDS in a DMZ?
> Or is it better to place the IDS between modem and router, and the HoneyPot
> in a DMZ?
> Or is it not necessary to have a DMZ and can I place the HoneyPot between
> modem and Router and the IDS in the LAN?
> Do I need a switch to make a separate network for this?
> Or maybe something else?
>
> ergo: What is the best placement for both systems?
>
> Thanks in advance,
> Quentin
>
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list