Debian Honeywall howto

Abstract

This howto will describe how to set up a honeywall acting like a hidden gateway typically used to secure a honeynet environment from an production environment. Operating system used in this article is Debian 6.0 installed as a vm-guest.

Introduction

Honeynets are designed to get a better understanding of how an attacker exploits vulnerabilities on a network-device and to develop a better knowledge in the latest security threats.

Vulnerable devices in a honeynet, commonly called honeypots, are intentionally set up to be vulnerable to many different attacks, or by using a clean install of an OS and wait for an attacker to perform probes and hopefully perform unknown attacks on a system. The latter is often referred to as High Interaction Honeypots, while emulating services often is called Low Interaction Honeypots.

A honeywall is a hidden device acting like a bridge between different networks and are commonly used to seperate a honeypot from an production environment, with the capabilities of controlling data sent in and out as well as monitoring network traffic. It can also be used to analyse traffic during a live malware analysis to mention a few of its workspaces. The honeywall is a crucial device in a honeynet to get as much information regarding malicious activity - both before and during an actual attack.

In order to secure a honeynet network, Honeynet Project has developed several standards and requirements regarding honeynets such as data control, data capture and data collection to lower the risk of exploitation of the production environment.

You can read more about honeynet's here and to meet the requirements I followed “Honeynet Definitions, Requirements, and Standards”.

Environment

To meet the requirements in a honeynet there are several things one should keep in mind:
First the honeywall it self need three Network Interface Controllers (NIC), one connected to the external network (Router -> Internet) and one connected to the internal network (honeynet).
These two NIC's are setup as a hidden bridge, so there will not be assigned any IP-addresses to them.

Therefor to remotely control this honeywall we need another NIC for remote-management, to easily administer and get wanted information provided by the honeynet.

NICs

• eth0 - Bridged - External network (internets)

• eth1 - Vboxnet1 - Internal network (honeypots)

• eth2 - Vboxnet0 - Remote management (safe network)

Data Control

Once the attacker has gained access to your honeypot one need to prevent attacks on unwanted devices, such as your production network and external devices outside your own network (eg. the internets ). To prevent this we use at least two layers of protection, as described in the "Definitions, Requirements & Standard"-link above.

To control the network-flow we will use

• IPTables as firewall with connection limit.
• Snort as Intrusion Prevention System (IPS) to drop malicious packets.

Data Capture

To capture probes, malicious activity and other information on the honeynet we need to set up logging capabilities.

• TCPDump to capture all network traffic.
• IPTables logging to capture conditions met by firewall rules.
• Snort as Intrusion Detection System (IDS) to log malicious network traffic.
• P0f to identify host information like applications and OS based on network packets.

Download the howto from google drive.