Honeypot System Placement

		Chapter 2 - A Honeypot Deployment Plan Honeypots for Windows by Roger A. Grimes Apress 2005

There are three main locations to place your honeypot system:

• External facing the Internet

• Internal behind the firewall

• On the DMZ

Honeypot placement is usually discussed in its relationship to the perimeter-protecting firewall. Each location has its advantages and disadvantages, depending on your honeypot goals.

External Placement

If you want to get the most malicious hacks for your dollar, place your honeypot outside your network perimeter. It is not uncommon to see honeypots connected directly to the Internet, where they can be freely compromised and probed, as shown in Figure 2-9. This is the easiest setup for single personal, home-based and research honeypots.

Figure 2-9: External placement of a honeypot

With external placement, there is no firewall in front of the honeypot. The honeypot and production network share the same public IP address subnet. You will need one or more public IP addresses. If you have only one public IP address and you are working with a hub, you can give the public IP address to the honeypot and set up the monitoring station without an IP address.

In promiscuous mode with a non-Windows IP stack, the management workstation should be able to capture traffic headed to and from the honeypot. If you have a managed switch, set up the monitoring workstation in port mirroring mode. The use of a switch offers some protection over a hub, but without a firewall or some other sort of defense, this type of honeynet represents the largest risk to the production network.

The lack of a secondary router, firewall, or some other inline device means you’ve effectively made data control very difficult. Many people start out with this method because it is the easiest to set up. They have good intentions: they plan to plug in the honeypot only while they are actively monitoring it, or they create some sort of alert system that will page them when the honeypot is compromised. In either case, they intend to physically watch the hacker’s activity, and then pull the honeypot off the network if the hacker begins to attack other targets. This sounds great, but the devil is in the details.

If you plug in your honeypot only while you are actively watching it, you effectively limit its exposure. You’ll probably see some worm attacks in progress, but being right at the honeypot during an interesting manual hack attack session is more miss than hit.

If you’re using the alert method, what happens if you’re traveling in another city or at the doctor’s office when the honeypot is compromised? In the time it takes you to travel from where you are to the honeypot, the hacker could have used it to compromise other hosts. Data control is not very sexy, but lack of it is the highest legal risk to a honeypot administrator.

Internal Placement

Another common honeypot system location is inside the network, with the firewall between it and the outside world, as shown in Figure 2-10. This placement is the best way to create an early-warning system to alert you to any external exploits that have made it past your other network defenses and catch internal threats at the same time. For example, during the Blaster worm attacks, any companies that had their firewall configured to block port 135 were essentially safe from the worm. But the worm was able to sneak past the firewall on trusted VPN links and infected mobile laptop computers. Once past the firewall, the worm was able to infect unpatched internal machines. A honeypot would at least be an early-warning system that the worm had made it past the firewall.

Figure 2-10: Internal honeypot placement

On the downside, if an internal honeypot is compromised, data control within the local network is difficult. A hacker or worm could use the exploited honeypot to look for additional internal hosts to compromise. You can minimize that threat by placing yet another firewall (or other inline mechanism) on the honeypot/honeynet to limit outgoing activity, or use a low-interaction honeypot.

Because the honeypot system is placed behind the firewall, administrators will need to decide what Internet traffic is directed to the honeypot versus production assets. Will they allow any port traffic to the honeypot, or just redirect specific ports? For example, if the production network does not have a web server, the honeypot administrator might redirect any incoming HTTP requests to the honeypot instead. Or if a RPC worm is loose, any incoming probes to port 135 can be redirected to a tarpit. The use of the tarpit (as described in Chapter 1) slows down the worm’s progress and benefits the local network and the Internet. It is important to decide which ports you will allow past your firewall and where the traffic should head.

In this scenario, utilizing a port mirroring switch will decrease the chance that a hacker would detect your monitoring efforts. Note that the logging computer does not need a second network interface card, because the honeynet and the production network are one and the same.

DMZ Placement

Placing a honeypot on the firewall DMZ, as shown in Figure 2-11, is often the best choice for a company. It can be placed alongside your other legitimate DMZ servers and provide early warning of threats located there. A router is placed between the firewall’s DMZ as an added layer for data control. The honeynet and production DMZ servers share the same logical subnet and IP address scheme. The DMZ can have public or private IP addresses. The IDS/packet capturing computer uses the switch’s port mirroring abilities in order to remain hidden.

Figure 2-11: Honeypot DMZ placement

The placement of the honeynet within the DMZ is an ideal location for many entities, but it’s also the most complex placement model. Additionally, because it is located on the DMZ, it is not the best early-warning indicator for an internal network compromise.

Honeypot Placement Summary

Where you place your honeypot system depends on your objectives. Most administrators place honeypots externally or on the DMZ, but installing them internally as an early-warning system to back up other network security defenses is becoming more popular. Table 2-1 summarizes the advantages and disadvantages of each honeypot system location.