I was rather bored this morning so I decided to put together something I had thought about a while ago to do with Honeynets.
If you want a run down on honeynets check out:
http://www.honeynet.org/
The basic idea behind honey nets is that you provide network resources such as servers, databases and network hardware which are tempting for would be intruders to compromise. These resources have no business purpose other than to catch people trying to compromise parts of your network thus alerting you.
My little setup is a WiFI Honeynet that presents a completely open access point with default manufacturer’s settings (including passwords) that is connected to an internet connection.
See the below diagram:
The access point is connected to a Cisco Catalyst 2950 series switch. The switch has been configured to turn off as many features as possible that may warn would be intruders that his supposedly simple home network has a £1000 enterprise switch running it.
STP, VTP, CDP were all turned off to limit broadcasts identifying the hardware, this was also useful for another reason, reducing clutter in the capture logs.
The switch then had the port that the access point was connected too added to a monitored session that mirrored incoming and outgoing traffic to my computer on the motherboards second NIC. This NIC has no IP address and can not transmit traffic to and from the network due to the mirrored data, it can only sniff it. Running on my computer is Ethereal in promiscuous mod collecting all packets seen on the wire.
To give the intruder something interesting to play with he would need internet access, I did not want an open AP on my home network so too mimic an internet connection and control what it was used for I setup IPCOP as a gateway and transparent proxy with all logging turned on. By default IPCOP is designed to protect the inside from the outside but by using a modification called Block All Traffic you can make it default deny all outgoing traffic.
With BOT setup the gateway” now only allowed web and chat client access to the outside world.
Internet connection to my computer and to the IPCOP box is provided by my internal network through a switch and router as shown.
I have given it all a whirl with my laptop and it seems to be running as expected so it is time to see who’s War driving in my Neighbourhood!
Comments/Advice/Questions please post.
If you want a run down on honeynets check out:
http://www.honeynet.org/
The basic idea behind honey nets is that you provide network resources such as servers, databases and network hardware which are tempting for would be intruders to compromise. These resources have no business purpose other than to catch people trying to compromise parts of your network thus alerting you.
My little setup is a WiFI Honeynet that presents a completely open access point with default manufacturer’s settings (including passwords) that is connected to an internet connection.
See the below diagram:
The access point is connected to a Cisco Catalyst 2950 series switch. The switch has been configured to turn off as many features as possible that may warn would be intruders that his supposedly simple home network has a £1000 enterprise switch running it.
STP, VTP, CDP were all turned off to limit broadcasts identifying the hardware, this was also useful for another reason, reducing clutter in the capture logs.
The switch then had the port that the access point was connected too added to a monitored session that mirrored incoming and outgoing traffic to my computer on the motherboards second NIC. This NIC has no IP address and can not transmit traffic to and from the network due to the mirrored data, it can only sniff it. Running on my computer is Ethereal in promiscuous mod collecting all packets seen on the wire.
To give the intruder something interesting to play with he would need internet access, I did not want an open AP on my home network so too mimic an internet connection and control what it was used for I setup IPCOP as a gateway and transparent proxy with all logging turned on. By default IPCOP is designed to protect the inside from the outside but by using a modification called Block All Traffic you can make it default deny all outgoing traffic.
With BOT setup the gateway” now only allowed web and chat client access to the outside world.
Internet connection to my computer and to the IPCOP box is provided by my internal network through a switch and router as shown.
I have given it all a whirl with my laptop and it seems to be running as expected so it is time to see who’s War driving in my Neighbourhood!
Comments/Advice/Questions please post.