MHN server Inside, Honeypot outside
406 views
Skip to first unread message
Pedro Pereira
Apr 13, 2015, 1:36:13 PM4/13/15
to modern-hon...@googlegroups.com
Hi there!! I've been working with MHN for a couple of weeks now, and i have a question: is it possible to deploy a sensor in the public network and keep the MHN server in the private network?The intent is to generate geo locations in the honeymaps section...so, on my home network, i'll have the dionaea/suricata honeypot in the DMZ area with an opened port, while the server is secured inside the private (monitored) network. Is there a simpler way to do this?
Thanks in advance!
Thanks in advance!
Jason Trost
Apr 13, 2015, 2:07:37 PM4/13/15
to Pedro Pereira, modern-hon...@googlegroups.com
During deployment, the honeypot needs to be able to communicate with
the MHN server on port 80 or 443 depending on how you have it
configured. After deployment, all sensors except snort and surricata
only rely on tcp port 10000 being open. The snort and surricata
sensors have a process that periodically pulls down the updated snort
rules from the MHN server.
Some users have setup iptables rules on their MHN server to lock down
the comms. This works well, but introduces some complexities overhead
so keep that in mind when troubleshooting.
I hope this helps.
--Jason
> --
> You received this message because you are subscribed to the Google Groups
> "Modern Honey Network" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to modern-honey-net...@googlegroups.com.
> To post to this group, send email to modern-hon...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/modern-honey-network/04b4f3e3-e6bf-4219-9a74-9b2619049637%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Jason Trost | Director of ThreatStream Labs | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
the MHN server on port 80 or 443 depending on how you have it
configured. After deployment, all sensors except snort and surricata
only rely on tcp port 10000 being open. The snort and surricata
sensors have a process that periodically pulls down the updated snort
rules from the MHN server.
Some users have setup iptables rules on their MHN server to lock down
the comms. This works well, but introduces some complexities overhead
so keep that in mind when troubleshooting.
I hope this helps.
--Jason
> You received this message because you are subscribed to the Google Groups
> "Modern Honey Network" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to modern-honey-net...@googlegroups.com.
> To post to this group, send email to modern-hon...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/modern-honey-network/04b4f3e3-e6bf-4219-9a74-9b2619049637%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Jason Trost | Director of ThreatStream Labs | www.threatstream.com
2317 Broadway, 3rd Floor| Redwood City, CA 94063
Phone: 386.235.0078 | Twitter: @jason_trost
kl...@agnoletti.dk
Sep 13, 2015, 9:08:42 AM9/13/15
to Modern Honey Network
This is an issue for me too. I want the sensor itself to sit in a DMZ which is totally locked down - no access to anything. So I don`t understand why this scenario hasn't been implemented (at least in my mind) properly. Instead of the sensor connecting to the MHN server, I would want it the other way around; the MHN server polling the sensors. After all, this is a security product implemented for the most part by security aware people. I don't think I am the only one that doesn't want the honeypot to be a threat to my overall network security.
In my setup I have deployed a sensor. Currently it is sitting on my LAN with the MHN server. When I move it to the DMZ it changes IP. How do I tell the MHN server this?
Thanks
/klaus
Jason Trost
Sep 21, 2015, 5:53:09 AM9/21/15
to Klaus Agnoletti, Modern Honey Network
MHN uses the architecture, protocols, and software defined by the honeynet project for communications between the server and the honeypots. I believe the biggest reason why the architecture is the way it is is for OPSEC and simplicity of management. If all the sensors listened on a port used for management control it would be trivial to fingerprint the sensors. It also allows the honeypots to be moved (DHCP) without having the management overhead of having to track this.
When you move your honeypot sensor, you should not have to update MHN. Data will continue to flow properly.
Thanks,
--Jason
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e35d1513-75f4-4d03-a3ce-71294fbb3ce1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Klaus Agnoletti
Sep 23, 2015, 8:00:46 AM9/23/15
to Modern Honey Network
Hi Jason
Thanks for your reply. Even though I was initially against it, I think the most secure setup is to place both sensor and server on a separate DMZ when I can turn of the ability to iniate traffic when I am doing updates, and then just allow a bare minimum of traffic to internet - and allow no traffic til LAN.
/klaus
Den mandag den 21. september 2015 kl. 11.53.09 UTC+2 skrev Jason Trost:
MHN uses the architecture, protocols, and software defined by the honeynet project for communications between the server and the honeypots. I believe the biggest reason why the architecture is the way it is is for OPSEC and simplicity of management. If all the sensors listened on a port used for management control it would be trivial to fingerprint the sensors. It also allows the honeypots to be moved (DHCP) without having the management overhead of having to track this.When you move your honeypot sensor, you should not have to update MHN. Data will continue to flow properly.Thanks,--Jason
On Sun, Sep 13, 2015 at 9:08 AM, <kl...@agnoletti.dk> wrote:
This is an issue for me too. I want the sensor itself to sit in a DMZ which is totally locked down - no access to anything. So I don`t understand why this scenario hasn't been implemented (at least in my mind) properly. Instead of the sensor connecting to the MHN server, I would want it the other way around; the MHN server polling the sensors. After all, this is a security product implemented for the most part by security aware people. I don't think I am the only one that doesn't want the honeypot to be a threat to my overall network security.
In my setup I have deployed a sensor. Currently it is sitting on my LAN with the MHN server. When I move it to the DMZ it changes IP. How do I tell the MHN server this?
Thanks
/klaus
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/e35d1513-75f4-4d03-a3ce-71294fbb3ce1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages