Snort mailing list archives

Re: IDS and HoneyPot placement in LAN

From: Matt Olney <molney () sourcefire com>
Date: Wed, 16 Jun 2010 11:40:04 -0400

er...

you need that HoneyPot completely, utterly separated from any other
portion of your network.  Use more specific routes to make it >look<
like its in a certain place, but you need to ensure that there is no
chance that box will either act as a platform to further attacks
within your network or act as a platform for attacks out to other
organizations.  From the Snort side, either span only the VLAN with
the honeypot on it or use a BPF to restrict capture to just the IP of
the honey pot.

On Wed, Jun 16, 2010 at 11:26 AM, Quentin Ducas <quentin.h4c () gmail com> wrote:

I apologize for the newbie question, but what is the best placement for the
IDS and the HoneyPot in the LAN?

I want to monitor a HoneyPot with the IDS (snort) [u]without[/u] monitoring
the complete LAN. Want to monitor just one machine.
What should be the best placement for HoneyPot and IDS for this situation.
The HoneyPot is a so called 'research-honeypot' so it is not used for
security-reasons.

Do I have to place the HoneyPot and the IDS in a DMZ?
Or is it better to place the IDS between modem and router, and the HoneyPot
in a DMZ?
Or is it not necessary to have a DMZ and can I place the HoneyPot between
modem and Router and the IDS in the LAN?
Do I need a switch to make a separate network for this?
Or maybe something else?

ergo: What is the best placement for both systems?

Thanks in advance,
Quentin


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

IDS and HoneyPot placement in LAN Quentin Ducas (Jun 16)
- Re: IDS and HoneyPot placement in LAN Matt Olney (Jun 16)
- Re: IDS and HoneyPot placement in LAN Joe Pampel (Jun 16)