[Honeywall] 4-5 Computers Honeynet Setup

JT tyra0002 at umn.edu
Fri Jun 26 13:10:47 EDT 2009


On Thu, 2009-06-25 at 21:06 -1000, r00t wrote:
> James,
> 
> That makes more sense, thank you.  
> However, I still have a few questions about the network in this
> diagram above the honeywall:
> 
> http://files.getdropbox.com/u/12240/Screenshot.png
> 
> Could you describe where eth2 and eth0 go? And how this generally
> works with the switch?
eth2 is the remote administration interface. Not required for Roo
functionality, but obviously handy if you don't have physical access to
the Roo computer. 

Our eth2 is also hooked up with a public IP to the internet. It is
behind a larger firewall system that I have no control over. 

In our setup, eth0 and eth2 are hooked to the same switch (beefy cisco
hardware, serves half our building), they are just on different vlans.
So eth0 gets setup to the public, unfirewalled vlan ip range and eth2
goes to the firewalled vlan ip.
I told our network admin what I wanted , and she just set it up, I have
no idea how to actually configure the vlan stuff. 
 

> 
> I am creating my own model of how the network will work, any advice is
> appreciated:
> 
> http://files.getdropbox.com/u/12240/AbsHoneynet.jpeg
In your diagram there, the router/switch between Internet and eth0 will
probably need to be some type of managed thing that support vlans. I did
not set this part up, our network admin did.

But in our setup, the switch on eth1 is just a plain-jane best buy 5
port switch. The kind you can get for $10-30 bucks.  No management, just
plug and go. A hub would even work here. 

> 
> I'm not quite sure I understand where eth2 going.  
> Since the honeywall is a remote location, I will be accessing it via
> its IP (of course restricted to a certain IP).  
> 
> As I can tell, this is the only way in the honeywall, and thus the
> only way to connect to Walleye (correct me if I am wrong). 
Yes, this and physical console access. SSH and Walleye all go through
eth2. 


-James
> 
> Thanks
> 
> 
> 2009/6/25 JT <tyra0002 at umn.edu>
>         Well without knowing more info I would install roo to the most
>         powerful machine (must have 3 network cards) and place windows
>         on the rest. Then infect the windows with malware of your
>         choice. VMs add un-needed complexity in my opinion.
>         
>         Each windows machine has a separate public IP, but the
>         connections are physically routed through the roo computer,
>         via a switch.
>         
>         The big managed switch that hooks us to the net has been
>         configured to forward multiple ips to 1 physical port (one
>         hooked to roo). Roo has bridging setup by default so all
>         traffic flows correctly.
>         
>         So roo is inserted in series (EE term) to both ends of the
>         connection. It can snort-inline data and rate limit via tc.
>         
>         
>         This is the exact setup we are running.
>         (I skipped some details, if you want more info just ask. Roo
>         has a very very steep learning curve.)
>         
>         -James
>         
>         Sent from my Verizon Wireless BlackBerry
>         
>         -----Original Message-----
>         From: r00t <r00t at ellicit.org>
>         
>         Date: Thu, 25 Jun 2009 13:15:31
>         To: Mailing list for users and developers of the
>         Honeywall<honeywall at public.honeynet.org>
>         Subject: [Honeywall] 4-5 Computers Honeynet Setup
>         
>         
>         _______________________________________________
>         Honeywall mailing list
>         Honeywall at public.honeynet.org
>         https://public.honeynet.org/mailman/listinfo/honeywall
>         
>         
>         _______________________________________________
>         Honeywall mailing list
>         Honeywall at public.honeynet.org
>         https://public.honeynet.org/mailman/listinfo/honeywall
>         
> 
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall



More information about the Honeywall mailing list