I'm a pretty decent (IMO) web app penetration tester, but I'm eager to expand my knowledge of other areas of security. Given that I've just taken on something of an enhanced sysadmin role at my work, I figured it would be a pretty good opportunity to try to learn more about network and operating system security.
In general, I'd say that I have a decent understanding of broad security concepts, but networking is a major, major blind-spot for me.
Now, the question: I was thinking that it might be a good idea ("good idea") to leave a vulnerable machine exposed on my home network, with the full intention of having it breached. My plan is to install the various auditing tools (tripwire, logwatch, samhain, etc) to give me real-world experience performing post-mortems on compromised systems, because I've got very little experience there.
I'm obviously hesitant to do that, though, because I'm not 100% confident that I can confine the will-be attackers to the honeypot machine only. So - how can I do that?
To the best of my understanding (which is again, quite poor, when it comes to networking) this will involve placing my honeypot system in the DMZ on my network. I've never done this before.
I was thinking, initially, that I could enforce the DMZ in two ways:
- statically map the IP at the router, designating the DMZ machine
- likewise, block out the MAC address from the rest of the LAN
When I thought about it some more, though, I began to doubt that plan. Could not a rogue user with root access 1) change his static IP and 2) flash the MAC? Would that get him out of the DMZ and onto my home network?
The above may be a bunch of nonsense. Again, this is a blind-spot for me. Please forgive me if I've wasted your time with a very dumb question :)
Thanks, everyone.