2

I am using a linux box as a firewall and router. I would install a system running honeypots like kippo, dionaea or glastopf behind it. My honeypot is on private IP and all required ports are being redirected from the public IP of (iptables) the firewall towards private IP of the honeypots machine.

Is this a good approach for deploying a honeypot? I noticed that behind firewall, dioanea capture less malware as compared to on public IP

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
Goforseeking
  • 131
  • 3
  • 5
    Welcome to the security stack! You have a lot of questions packed into one here, you might get a better response if you clear up the language and separate the questions. Also, some of your questions are not security related, they are more basic networking questions. You *may* get a little guff for this. – INV3NT3D Oct 19 '16 at 17:03
  • 2
    Welcome to Security Stack Exchange! I agree with @INV3NT3D. It is often best to ask questions one at a time so they can be answered individually. Multiple questions are encouraged, but I would suggest pacing them out as well. – 700 Software Oct 19 '16 at 17:16
  • Thanks for suggestions. Actually these are parts of one main question and tightly bind. Please answer these basic networking question if they are. – Goforseeking Oct 19 '16 at 17:59
  • Is your goal to catch attacks from outside or from inside your network? – d1str0 Oct 19 '16 at 19:02
  • My sensor running multiple honeypots is deployed in DMZ along with production server. So, I am interested in both but from outside preferably. – Goforseeking Oct 20 '16 at 07:32
  • This [question](http://security.stackexchange.com/questions/3978/honeypot-on-home-network-to-help-me-learn?rq=1) might be helpful for you. – furusiyya Oct 20 '16 at 07:40

1 Answers1

2

The architecture that you're suggesting would allow you to capture potentially malicious traffic directed at services running on the ports that you forward from the public IP address.

If that's your goal then it seems a reasonable approach. One suggestion, depending on how much you trust the honeypot software, would be to isolate the honeypot machines in their own logical network, such that if an attacker breaks out of them, they have more difficulty in attacking other systems in your environment.

The primary difference I can see between that approach and placing the honeypots "outside" the firewall is that you wouldn't need to maintain firewall rules to allow traffic to them and also if they're compromised there is likely less risk to the other areas of your network.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Thanks Rоry McCune. Yes you are right. One thing which I suggested to deploy honeypots in DMZ zone in isolation (PVLAN) mode in Cisco world. If isolation is not possible then iptables is good option to drop all communication between honeypots and production server. – Goforseeking Oct 20 '16 at 17:52