SlideShare a Scribd company logo

Honeypot Farms using Ethernet Bridging over a TCP Connection

M
morisson

This document describes a tool called Kangaroo that was developed by the Portugal Honeynet Project to simplify the deployment of honeypot farms. Kangaroo uses Ethernet bridging over TCP connections to transport traffic between remote honeypots and a central server, avoiding the complexity of routing. This allows quick deployment of honeypots in remote locations while analyzing the traffic centrally. Kangaroo relies on libpcap and libnet to capture and inject packets without requiring kernel modifications. It creates virtual interfaces on the central bridge server to isolate honeypots on different VLANs. Traffic to and from the honeypots is bridged through TCP tunnels between remote servers and the central server in a transparent manner.

Technology
1 of 5
Downloaded 23 times
1
2
3
4
5
Honeypot Farms Using Ethernet Bridging over a TCP Connection Bruno Morisson <bruno.morisson@honeynet-pt.org> Marco Vaz <marco.vaz@honeynet-pt.org> Pedro Inácio <Pedro.inacio@honeynet-pt.org> The Honeynet Project - Portugal http://www.honeynet-pt.org March 2005 Abstract This paper describes a methodology and a prototype tool based on libpcap, libnet, mini-lzo and openssl, with the main objective of mitigating honeypot farm deployment complexity. Ethernet bridging over a TCP connection and vlan tagging are used as the way to simplify the deployment of the remote honeypots and achieve better overall results. Keywords Honeypot, honeynet, ethernet bridging, vlan, snort-inline, TCP
Introduction • Honeypot farms use routing rather than bridge, so they are As already presented by Edward Balas in complex to configure and chapter 7 of “Know Your Enemy, 2nd require good network Edition”, Honeypot Farms are used as a knowledge to operate properly. way of virtually distributing honeypots, • This technology is fair new, transporting IP packets from remote there are no tools to help locations to the physical honeypots. It aims automate the configuration and to reduce cost, deployment time and operation of the analysis time. infrastructures. We decided to embrace and simplify this concept of traffic tunneling because it The Portugal Honeynet Project developed gives us the ability to optimize our its own prototype tool, Kangaroo, to help methodology of analysis. Our aim was to us with those tasks. With this tool, it is use bridging rather than routing for possible to tunnel ethernet traffic from transporting the traffic from remote remote locations to the farm on a TCP locations to our honeypots on the farm. connection, injecting it in the physical Bridging provides the simplicity of traffic honeypot Ethernet card/switch. transportation. Since Kangaroo relies on libpcap and libnet for capturing and injecting packets, it This approach enables: doesn't require any kernel patches/modules, and it should be simple • Quickly access to the compromised to port it to most modern operating equipments. systems. • Reduce the physical space required in ISP housing. • Decrease the number of control Architecture equipments (bridge, firewall and database) The topology deployed is based on a Gen II • Transparency honeynet. The big difference is that we are isolating the honeypots using 802.1q, creating virtual interfaces on our bridge As Edward Balas puts it: server. The bridge server has one virtual interface per network segment. Advantages of honeypot farms All traffic to and from the honeypots will • Honeynets can be deployed be bridged by the central server and the with in a very short amount of remote servers. The remote servers will time. create TCP connections to the central • Forensic analysis can be done server, through which interesting traffic faster. will be tunneled both ways. • Honeypot farms can be used to protect production servers (hot-zoning). • Participant networks don’t need to configure or monitor the honeypots. Disadvantages of honeypot farms • Geographic unrelated positions cause anomalies in network latency.
operational needs. Filtering rules can also be applied via BPF on both ends of the tunnel. Another important advantage is that libpcap makes Kangaroo a truly platform- independent application. Transparency This approach to traffic tunneling can be described as medium-independent and inherently protocol-independent. Any LAN medium that can be captured with libpcap and injected with libnet can be tunneled with Kangaroo. Contrary to routing, using bridging there is no way for an attacker to detect that the machine is not physically located next to the others on the same subnet, except for the added latency. Performance Latency: There is, obviously, added latency to the connection. To reduce it, Kangaroo Traffic to the honeypot: offers the ability to compress the packets. The remote client captures the Ethernet Scalability: For now, one instance of frames sent to the honeypot's IP address (as Kangaroo is required for each tunnel well as relevant ARP requests/answers), an created, so for now scalability is an issue at sends the frames through the TCP that level. It is also an issue with the connection to the central server. The bridge, since there is only one snort inline central server receives the frames from the instance which must process every packet TCP connection, and injects them in the for every honeypot. desired interface. Traffic from the honeypot: Example Setup The central server captures the Ethernet frames sent from the honeypot's IP address In the example setup there are two remote (as well as relevant ARP requests/answers), sensors with Kangaroo that will forward and and sends the frames through the TCP receive the traffic to and from the connection to the remote client. The honeynet Firewall. remote client receives the frames from the TCP connection, and injects them on the The firewall will encapsulate each stream local network. into dot1q and send the trunk back to the Bridge. BPF – BSD Packet Filter The SnortInline bridge has several virtual bridges and each one is composed by pairs Using libpcap to capture the packets gives of dot1q interfaces. One SnortInline process the possibility to create a set off powerful is enough to process all bridges. filtering rules that will reduce the transported traffic to the minimal
The switch located behind the SnortInline • ./kangaroo -C -u user -g group -p 4791 -l Bridge will split the trunk traffic, putting 80.x.y.z -i eth1.2 -f 'src host 100.x.y.z' each VLAN in a separate port. Kangaroo will inject traffic coming from RemoteSensor to the VLAN 2 There are two honeypots, one on VLAN 2 interface on the firewall and other on VLAN 3. • ./kangaroo -C -u user -g group -p 4792 -l 80.x.y.z -i eth1.3 -f 'src host 99.x.y.z' Kangaroo will inject traffic coming Honeypot1 will have the (public) IP address from RemoteSensor to the VLAN 3 99.x.y.z and honeypot2 will have the (also interface on the firewall public) IP address 100.x.y.z. The IP address for the firewall’s outside interface (public) will be 80.x.y.z Configuration on the SnortInline Bridge • vconfig add eth0 2 Creation of the VLAN 2 interface on the inside Ethernet NIC. • vconfig add eth1 2 Creation of the VLAN 2 interface on the outside Ethernet NIC. • vconfig add eth0 3 Creation of the VLAN 3 interface on the inside Ethernet NIC. • vconfig add eth1 3 Creation of the VLAN 3 interface on the outside Ethernet NIC. • Creation of the brctl add eth0.2 br2 VLAN 2 interface on the inside Ethernet NIC. • Creation of the brctl add eth1.2 br2 VLAN 2 interface on the outside Ethernet NIC. Configuration on the remote sensors • ./kangaroo -C -u user -g group -p 4791 -c • Creation of the brctl add eth0.3 br3 80.x.y.z -i eth0 -f 'dst host 99.x.y.z' VLAN 2 interface on the inside Kangaroo will capture and inject Ethernet NIC. traffic from and to RemoteSensor1 • Creation of the brctl add eth1.3 br3 • ./kangaroo -C -u user -g group -p 4792 -c VLAN 2 interface on the inside 80.x.y.z -i eth0 -f 'dst host 100.x.y.z' Ethernet NIC. Kangaroo will capture and inject traffic from and to RemoteSensor2 • iptables –A FORWARD –s 99.x.y.z –j ACCEPT Firewall rule to permit Configuration on the Firewall inbound traffic to the honeypot1. • vconfig add eth1 2 Creation of the • iptables –A FORWARD –d 99.x.y.z –j VLAN 2 interface on the inside QUEUE Firewall rule to queue Ethernet NIC. outbound traffic from the • vconfig add eth1 3 Creation of the honeypot1. VLAN 3 interface on the inside Ethernet NIC.
• iptables –A FORWARD –s 100.x.y.z –j ACCEPT Firewall rule to permit Libnet inbound traffic to the honeypot2. http://www.packetfactory.net • iptables –A FORWARD –d 100.x.y.z –j Mini-LZO QUEUE Firewall rule to queue http://www.oberhumer.com outbound traffic from the honeypot2. Openssl http://www.openssl.org The Honeynet Project http://www.honeynet.org TODO Book – Know Your Enemy, 2nd Edition • The prototype code is being http://www.honeynet.org/book completely re-written. • Multiplexing - One central Kangaroo daemon for several remote servers. • Direct integration with snort-inline • Performance enhancements • SSL enhancements(Certificates for authentication, stream encryption for performance) Conclusions Using the methods described, with the aid of Kangaroo, Linux bridging, VLAN tagging, and snort inline, is is possible to truly decentralize honeynets, deploying honeypots remotely, while keeping all the hardware centralized at a close location. This also allows for costs reduction on hardware: there is no need to replicate honeynets in every participating network. We need can use the same firewall, bridge, log server, etc., for every honeypot deployed. With Kangaroo routing configuration troubles can be avoided, and network transparency obtained. Since Kangaroo was specifically thought for this application, its configuration is also simple and straightforward. References Kangaroo http://www.honeynet- pt.org/research/kangaroo-0.5.0a.tar.gz Libpcap http://www.tcpdump.org

More Related Content

PDF
Hiperlink optical 05 Ghz-lanrtx
Res-Ingenium
 
PDF
IEEE 1588 Timing for Mobile Backhaul_Webinar
SymmetricomSYMM
 
PDF
HIPERLINK 05G backhaul - IRTX
Res-Ingenium
 
PDF
PLNOG 5: Emil Gągała - ADVANCED VPLS
PROIDEA
 
PDF
ASIS CCCT Workshop: Wireless Security & Surveillance
Firetide
 
DOC
User manual ramon
Dr. Edwin Hernandez
 
PPT
Somerdata AROW Data Diode
Somerdata
 
PDF
The State of 3G/GPRS IPv6 Deployment
John Loughney
 
Hiperlink optical 05 Ghz-lanrtx
Res-Ingenium
 
IEEE 1588 Timing for Mobile Backhaul_Webinar
SymmetricomSYMM
 
HIPERLINK 05G backhaul - IRTX
Res-Ingenium
 
PLNOG 5: Emil Gągała - ADVANCED VPLS
PROIDEA
 
ASIS CCCT Workshop: Wireless Security & Surveillance
Firetide
 
User manual ramon
Dr. Edwin Hernandez
 
Somerdata AROW Data Diode
Somerdata
 
The State of 3G/GPRS IPv6 Deployment
John Loughney
 

What's hot (20)

PDF
IPv6 in 2G and 3G Networks
John Loughney
 
PPT
Dissertation Defense August 2002
Dr. Edwin Hernandez
 
PDF
RAMON : Rapid Mobile Network Emulation
Dr. Edwin Hernandez
 
PPT
C08 network protocols
Rio Nguyen
 
PDF
Alternative Transport Protocols
Peter R. Egli
 
KEY
Introduction To DASH7 Technology
jpnorair
 
PDF
Basics of multicasting and its implementation on ethernet networks
Reliance Comm
 
PDF
Basicsofmulticastinganditsimplementationonethernetnetworks
Sasank Chaitanya
 
PDF
Tr@Ins6 Trackside Communication Herman Claus
imec.archive
 
PDF
Research and Experimentation of LoRa in Heavy Multipath
Haystack Technologies
 
PDF
Feature satip3
TELE-satellite esp
 
PDF
Feature satip3
TELE-satellite ned
 
PDF
Feature satip3
TELE-audiovision eng
 
PDF
Time Synchronisation
SymmetricomSYMM
 
PDF
Feature satip3
TELE-satellite ara
 
PDF
SDN Network virtualization, NFV & MPLS synergies
Hector.Avalos
 
PDF
Feature satip3
TELE-satellite man
 
PDF
Vsat day-2008-comtech
SSPI Brasil
 
ODP
Virtual Network Performance Challenge
Stephen Hemminger
 
PDF
Feature satip3
TELE-satellite bul
 
IPv6 in 2G and 3G Networks
John Loughney
 
Dissertation Defense August 2002
Dr. Edwin Hernandez
 
RAMON : Rapid Mobile Network Emulation
Dr. Edwin Hernandez
 
C08 network protocols
Rio Nguyen
 
Alternative Transport Protocols
Peter R. Egli
 
Introduction To DASH7 Technology
jpnorair
 
Basics of multicasting and its implementation on ethernet networks
Reliance Comm
 
Basicsofmulticastinganditsimplementationonethernetnetworks
Sasank Chaitanya
 
Tr@Ins6 Trackside Communication Herman Claus
imec.archive
 
Research and Experimentation of LoRa in Heavy Multipath
Haystack Technologies
 
Feature satip3
TELE-satellite esp
 
Feature satip3
TELE-satellite ned
 
Feature satip3
TELE-audiovision eng
 
Time Synchronisation
SymmetricomSYMM
 
Feature satip3
TELE-satellite ara
 
SDN Network virtualization, NFV & MPLS synergies
Hector.Avalos
 
Feature satip3
TELE-satellite man
 
Vsat day-2008-comtech
SSPI Brasil
 
Virtual Network Performance Challenge
Stephen Hemminger
 
Feature satip3
TELE-satellite bul
 
Ad

Viewers also liked (7)

PDF
The Thing That Should Not Be
morisson
 
PDF
Mobile Securty - An Oxymoron?
morisson
 
PDF
APT
morisson
 
PPTX
Virtualization & Security
morisson
 
PDF
Crash Course In Brain Surgery
morisson
 
PDF
Security asap
morisson
 
PDF
(Mis)trusting and (ab)using ssh
morisson
 
The Thing That Should Not Be
morisson
 
Mobile Securty - An Oxymoron?
morisson
 
APT
morisson
 
Virtualization & Security
morisson
 
Crash Course In Brain Surgery
morisson
 
Security asap
morisson
 
(Mis)trusting and (ab)using ssh
morisson
 
Ad

Similar to Honeypot Farms using Ethernet Bridging over a TCP Connection (20)

PDF
Netcat cheat sheet_v1
aioudshflaksjdvhv
 
PPTX
Rpl telecom bretagne
Pascal Thubert
 
PDF
Hackerworkshop exercises
Henrik Kramshøj
 
PPTX
FlowER Erlang Openflow Controller
Holger Winkelmann
 
PDF
Microsoft Word Project, Firewalls
kkkseld
 
PDF
CSI - Poor Mans Guide To Espionage Gear
shawn_merdinger
 
PPTX
Luxbg fringe
Pascal Thubert
 
PPT
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
PDF
Designing.and.implementing.linux
gavin shaw
 
PDF
Network and DNS Vulnerabilities
n|u - The Open Security Community
 
PDF
OpenDNS Whitepaper: DNS's Role in Botnet C&C
Courtland Smith
 
PPTX
Tech Blast: Networks
Michael Sauers
 
PPTX
Tech Blast: Networks
Nebraska Library Commission
 
PDF
Freifunk Presentation English
Mario B.
 
PDF
Fcsi601 Linux Firewall Nat
narayannpp
 
PDF
Manipulating the network with packet fu
Keith Lee
 
PDF
Manipulating the Network with PacketFu
Keith Lee
 
PDF
Basic-networking-hardware
Isus Isusay
 
PDF
Enhanced Interior Gateway Routing Protocol - Wikipedia, the free encyclopedia
Hoàng Hải Nguyễn
 
PPTX
GENI - Seminário - Inatel
Lúcio Henrique
 
Netcat cheat sheet_v1
aioudshflaksjdvhv
 
Rpl telecom bretagne
Pascal Thubert
 
Hackerworkshop exercises
Henrik Kramshøj
 
FlowER Erlang Openflow Controller
Holger Winkelmann
 
Microsoft Word Project, Firewalls
kkkseld
 
CSI - Poor Mans Guide To Espionage Gear
shawn_merdinger
 
Luxbg fringe
Pascal Thubert
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Designing.and.implementing.linux
gavin shaw
 
Network and DNS Vulnerabilities
n|u - The Open Security Community
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
Courtland Smith
 
Tech Blast: Networks
Michael Sauers
 
Tech Blast: Networks
Nebraska Library Commission
 
Freifunk Presentation English
Mario B.
 
Fcsi601 Linux Firewall Nat
narayannpp
 
Manipulating the network with packet fu
Keith Lee
 
Manipulating the Network with PacketFu
Keith Lee
 
Basic-networking-hardware
Isus Isusay
 
Enhanced Interior Gateway Routing Protocol - Wikipedia, the free encyclopedia
Hoàng Hải Nguyễn
 
GENI - Seminário - Inatel
Lúcio Henrique
 

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Teaching material agriculture food technology
LiaRayya
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 

Honeypot Farms using Ethernet Bridging over a TCP Connection

  • 1. Honeypot Farms Using Ethernet Bridging over a TCP Connection Bruno Morisson <bruno.morisson@honeynet-pt.org> Marco Vaz <marco.vaz@honeynet-pt.org> Pedro Inácio <Pedro.inacio@honeynet-pt.org> The Honeynet Project - Portugal http://www.honeynet-pt.org March 2005 Abstract This paper describes a methodology and a prototype tool based on libpcap, libnet, mini-lzo and openssl, with the main objective of mitigating honeypot farm deployment complexity. Ethernet bridging over a TCP connection and vlan tagging are used as the way to simplify the deployment of the remote honeypots and achieve better overall results. Keywords Honeypot, honeynet, ethernet bridging, vlan, snort-inline, TCP
  • 2. Introduction • Honeypot farms use routing rather than bridge, so they are As already presented by Edward Balas in complex to configure and chapter 7 of “Know Your Enemy, 2nd require good network Edition”, Honeypot Farms are used as a knowledge to operate properly. way of virtually distributing honeypots, • This technology is fair new, transporting IP packets from remote there are no tools to help locations to the physical honeypots. It aims automate the configuration and to reduce cost, deployment time and operation of the analysis time. infrastructures. We decided to embrace and simplify this concept of traffic tunneling because it The Portugal Honeynet Project developed gives us the ability to optimize our its own prototype tool, Kangaroo, to help methodology of analysis. Our aim was to us with those tasks. With this tool, it is use bridging rather than routing for possible to tunnel ethernet traffic from transporting the traffic from remote remote locations to the farm on a TCP locations to our honeypots on the farm. connection, injecting it in the physical Bridging provides the simplicity of traffic honeypot Ethernet card/switch. transportation. Since Kangaroo relies on libpcap and libnet for capturing and injecting packets, it This approach enables: doesn't require any kernel patches/modules, and it should be simple • Quickly access to the compromised to port it to most modern operating equipments. systems. • Reduce the physical space required in ISP housing. • Decrease the number of control Architecture equipments (bridge, firewall and database) The topology deployed is based on a Gen II • Transparency honeynet. The big difference is that we are isolating the honeypots using 802.1q, creating virtual interfaces on our bridge As Edward Balas puts it: server. The bridge server has one virtual interface per network segment. Advantages of honeypot farms All traffic to and from the honeypots will • Honeynets can be deployed be bridged by the central server and the with in a very short amount of remote servers. The remote servers will time. create TCP connections to the central • Forensic analysis can be done server, through which interesting traffic faster. will be tunneled both ways. • Honeypot farms can be used to protect production servers (hot-zoning). • Participant networks don’t need to configure or monitor the honeypots. Disadvantages of honeypot farms • Geographic unrelated positions cause anomalies in network latency.
  • 3. operational needs. Filtering rules can also be applied via BPF on both ends of the tunnel. Another important advantage is that libpcap makes Kangaroo a truly platform- independent application. Transparency This approach to traffic tunneling can be described as medium-independent and inherently protocol-independent. Any LAN medium that can be captured with libpcap and injected with libnet can be tunneled with Kangaroo. Contrary to routing, using bridging there is no way for an attacker to detect that the machine is not physically located next to the others on the same subnet, except for the added latency. Performance Latency: There is, obviously, added latency to the connection. To reduce it, Kangaroo Traffic to the honeypot: offers the ability to compress the packets. The remote client captures the Ethernet Scalability: For now, one instance of frames sent to the honeypot's IP address (as Kangaroo is required for each tunnel well as relevant ARP requests/answers), an created, so for now scalability is an issue at sends the frames through the TCP that level. It is also an issue with the connection to the central server. The bridge, since there is only one snort inline central server receives the frames from the instance which must process every packet TCP connection, and injects them in the for every honeypot. desired interface. Traffic from the honeypot: Example Setup The central server captures the Ethernet frames sent from the honeypot's IP address In the example setup there are two remote (as well as relevant ARP requests/answers), sensors with Kangaroo that will forward and and sends the frames through the TCP receive the traffic to and from the connection to the remote client. The honeynet Firewall. remote client receives the frames from the TCP connection, and injects them on the The firewall will encapsulate each stream local network. into dot1q and send the trunk back to the Bridge. BPF – BSD Packet Filter The SnortInline bridge has several virtual bridges and each one is composed by pairs Using libpcap to capture the packets gives of dot1q interfaces. One SnortInline process the possibility to create a set off powerful is enough to process all bridges. filtering rules that will reduce the transported traffic to the minimal
  • 4. The switch located behind the SnortInline • ./kangaroo -C -u user -g group -p 4791 -l Bridge will split the trunk traffic, putting 80.x.y.z -i eth1.2 -f 'src host 100.x.y.z' each VLAN in a separate port. Kangaroo will inject traffic coming from RemoteSensor to the VLAN 2 There are two honeypots, one on VLAN 2 interface on the firewall and other on VLAN 3. • ./kangaroo -C -u user -g group -p 4792 -l 80.x.y.z -i eth1.3 -f 'src host 99.x.y.z' Kangaroo will inject traffic coming Honeypot1 will have the (public) IP address from RemoteSensor to the VLAN 3 99.x.y.z and honeypot2 will have the (also interface on the firewall public) IP address 100.x.y.z. The IP address for the firewall’s outside interface (public) will be 80.x.y.z Configuration on the SnortInline Bridge • vconfig add eth0 2 Creation of the VLAN 2 interface on the inside Ethernet NIC. • vconfig add eth1 2 Creation of the VLAN 2 interface on the outside Ethernet NIC. • vconfig add eth0 3 Creation of the VLAN 3 interface on the inside Ethernet NIC. • vconfig add eth1 3 Creation of the VLAN 3 interface on the outside Ethernet NIC. • Creation of the brctl add eth0.2 br2 VLAN 2 interface on the inside Ethernet NIC. • Creation of the brctl add eth1.2 br2 VLAN 2 interface on the outside Ethernet NIC. Configuration on the remote sensors • ./kangaroo -C -u user -g group -p 4791 -c • Creation of the brctl add eth0.3 br3 80.x.y.z -i eth0 -f 'dst host 99.x.y.z' VLAN 2 interface on the inside Kangaroo will capture and inject Ethernet NIC. traffic from and to RemoteSensor1 • Creation of the brctl add eth1.3 br3 • ./kangaroo -C -u user -g group -p 4792 -c VLAN 2 interface on the inside 80.x.y.z -i eth0 -f 'dst host 100.x.y.z' Ethernet NIC. Kangaroo will capture and inject traffic from and to RemoteSensor2 • iptables –A FORWARD –s 99.x.y.z –j ACCEPT Firewall rule to permit Configuration on the Firewall inbound traffic to the honeypot1. • vconfig add eth1 2 Creation of the • iptables –A FORWARD –d 99.x.y.z –j VLAN 2 interface on the inside QUEUE Firewall rule to queue Ethernet NIC. outbound traffic from the • vconfig add eth1 3 Creation of the honeypot1. VLAN 3 interface on the inside Ethernet NIC.
  • 5. iptables –A FORWARD –s 100.x.y.z –j ACCEPT Firewall rule to permit Libnet inbound traffic to the honeypot2. http://www.packetfactory.net • iptables –A FORWARD –d 100.x.y.z –j Mini-LZO QUEUE Firewall rule to queue http://www.oberhumer.com outbound traffic from the honeypot2. Openssl http://www.openssl.org The Honeynet Project http://www.honeynet.org TODO Book – Know Your Enemy, 2nd Edition • The prototype code is being http://www.honeynet.org/book completely re-written. • Multiplexing - One central Kangaroo daemon for several remote servers. • Direct integration with snort-inline • Performance enhancements • SSL enhancements(Certificates for authentication, stream encryption for performance) Conclusions Using the methods described, with the aid of Kangaroo, Linux bridging, VLAN tagging, and snort inline, is is possible to truly decentralize honeynets, deploying honeypots remotely, while keeping all the hardware centralized at a close location. This also allows for costs reduction on hardware: there is no need to replicate honeynets in every participating network. We need can use the same firewall, bridge, log server, etc., for every honeypot deployed. With Kangaroo routing configuration troubles can be avoided, and network transparency obtained. Since Kangaroo was specifically thought for this application, its configuration is also simple and straightforward. References Kangaroo http://www.honeynet- pt.org/research/kangaroo-0.5.0a.tar.gz Libpcap http://www.tcpdump.org