Further, the bridge served as a kind of reverse firewall (called a ???honeywall???) that offered
basic data collection and data control capabilities.
Gen III Honeynets
In 2005, Gen III Honeynets were developed by honeynet.org. The honeywall evolved
into a product called roo and greatly enhanced the data collection and data control
capabilities while providing a whole new level of data analysis through an interactive
web interface called Walleye.
Architecture
The Gen III honeywall (roo) serves as the invisible front door of the honeynet. The
bridge allows for data control and data collection from the honeywall itself. The
honeynet can now be placed right next to production systems, on the same network segment
as shown here:
Data Control
The honeywall provides data control by restricting outbound network traffic from the
honeypots. Again, this is vital to mitigate risk posed by compromised honeypots attacking
other systems. The purpose of data control is to balance the need for the compromised
system to communicate with outside systems (to download additional tools or
participate in a command-and-control IRC session) against the potential of the system
to attack others. To accomplish data control, iptable (firewall) rate-limiting rules are
used in conjunction with snort-inline (intrusion prevention system) to actively modify
or block outgoing traffic.
Pages:
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882