Snort mailing list archives
Re: IDS and HoneyPot placement in LAN
From: Matt Olney <molney () sourcefire com>
Date: Wed, 16 Jun 2010 11:40:04 -0400
er... you need that HoneyPot completely, utterly separated from any other portion of your network. Use more specific routes to make it >look< like its in a certain place, but you need to ensure that there is no chance that box will either act as a platform to further attacks within your network or act as a platform for attacks out to other organizations. From the Snort side, either span only the VLAN with the honeypot on it or use a BPF to restrict capture to just the IP of the honey pot. On Wed, Jun 16, 2010 at 11:26 AM, Quentin Ducas <quentin.h4c () gmail com> wrote:
I apologize for the newbie question, but what is the best placement for the IDS and the HoneyPot in the LAN? I want to monitor a HoneyPot with the IDS (snort) [u]without[/u] monitoring the complete LAN. Want to monitor just one machine. What should be the best placement for HoneyPot and IDS for this situation. The HoneyPot is a so called 'research-honeypot' so it is not used for security-reasons. Do I have to place the HoneyPot and the IDS in a DMZ? Or is it better to place the IDS between modem and router, and the HoneyPot in a DMZ? Or is it not necessary to have a DMZ and can I place the HoneyPot between modem and Router and the IDS in the LAN? Do I need a switch to make a separate network for this? Or maybe something else? ergo: What is the best placement for both systems? Thanks in advance, Quentin ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS and HoneyPot placement in LAN Quentin Ducas (Jun 16)
- Re: IDS and HoneyPot placement in LAN Matt Olney (Jun 16)
- Re: IDS and HoneyPot placement in LAN Joe Pampel (Jun 16)