RE: forensics honeypot and properly seperating networks

From: ListServ (knothead_at_clarksoncollege.edu)
Date: 11/09/05

  • Next message: ListServ: "FW: [CCCure News] Latest news from www.cccure.org Many new developments" 
    Date: Wed, 9 Nov 2005 09:26:44 -0600
To: <security-basics@securityfocus.com>

    I'm a big fan of ipcop for a couple reasons. One it is a canned distro
    - less chances of beginners of making big mistakes. Two powerful for the
    seasoned professional -- iptables can to plenty to protect your n/w from
    2 mach. Up to 1000.

    Once you start digging into the guts of ipcop you will learn iptables
    which is the heart of any linux firewall.

    Ok. I'm done ranting...

    You can do all your playing w/o risking your local machines to the n/w.

    -----Original Message-----
    From: David S [mailto:securitydabbler@gmail.com]
    Sent: Tuesday, November 08, 2005 8:46 AM
    To: security-basics@securityfocus.com
    Subject: forensics honeypot and properly seperating networks

    Hello all,

    I am trying to achive a goal and I'm looking for a bit of advice from
    the
    list. All constructive or not so constructive critisisms and ideas will
    be
    appreciated.

    --A little background
    I've worked with Linux/*BSD/Windows Administration and DBA type work for
    about 6 or 7 years so I'm comfortable there but I'm moving into the
    security
    realm and don't have much knowledge past access control and the basics.
    I've
    read a lot but haven't put much into practice. I'm a bit weak with
    regards
    to the network side of things. I'm on a budget for new hardware,
    probably
    300-500 USD.

    --My current home setup
    {
    Beefy Linux Box
    Beefy Windows XP Pro box which I use to surf, internet banking, home
    budgeting, amazon etc.
    Normal Windows Home (family box)
    DSL with Static IP
    Linksys Wireless Router, all Above natted
    Linksys Switch
    } For argument's sake I'd like to label this the green zone or green
    network
    3 unused Frankenstein desktops that need to be ultilized and can be
    canabilized and turned into whatever

    Goals
    1. Most importantly Completely keep the XP boxes and my linux box safe
    for
    use for internet banking, billpay, confidential info, work etc.

    2. Put my frankenstein boxes ( I'd like to have a Windows, Linux and a *
    BSD
    box ) out in a "red zone" that can serve as a honeypot of sorts. I'd
    like to be able to watch as people attack these boxes, pull some
    forensic data, look at the logs to teach myself how they got in and
    how to better harden my boxes. Play around with the different Linux
    and BSD flavors, build out an IDS box to capture traffic, perhaps
    setup a syslog
    box. I'd be totally ok with rebuilding after they are torn apart.

    3. Practice my own vulnerability scans and pen tests against both green
    and
    red networks from two dual boot laptops loaded with tools or knoppix-std
    etc. and again watch the IDS flip out as I run tests

    4. Again --Very important to keep my "green zone" boxes safe to use for
    surfing, banking, identity protection etc.

    Questions:
    1. Can I accomplish what I mentioned I need help with without adding too
    much risk to my green zone (Linux and XP Pro box). I'm worried about
    someone
    gaining root/admin on the "red zone" boxes and attacking my "green zone
    boxes"

    2. Should I utilize one of my old desktops to setup a firewall or
    router as something
    between green and red zones. Will IPChains do the trick?

    3. Compiling a firewall I can do, setting up routing to deny traffic
    I'm a bit confused. Would I create two networks and just deny traffic
    from red to green and green" to red. But allow green to access
    outside world?

    4. I've heard pvlan (private vlan) used around the offfice, would I
    need a high dollar cisco device to setup a private vlan so that things
    can't see each other?

    5. Buy another hardware router and seperate the two networks?

    6. Some other plan that I haven't thought of this morning?

    Thanks again for any suggestions any of you have. Security has been my
    driving interest but it's time for me to move past newbie and spend the
    next
    year gaining some moderate knowledge.

    thanks for your help and reading my post that rivals the length of war
    and
    peace.

    David
    securitydabbler@s1.com
    N~z 

    ---
[This E-mail scanned for viruses by Declude Virus]
  • Next message: ListServ: "FW: [CCCure News] Latest news from www.cccure.org Many new developments"

    Relevant Pages

    • forensics honeypot and properly seperating networks
      ... Beefy Linux Box ... Put my frankenstein boxes (I'd like to have a Windows, ... box) out in a "red zone" that can serve as a honeypot of sorts. ... much risk to my green zone. ...
      (Security-Basics)
    • Re: IPX/SPX - whtat?
      ... I have Talktalk broadband on a laptop ... In Talktalk Broadband do I require 'Client for MS Networks' and 'Client ... Service for NetWare' boxes to be checked? ...
      (microsoft.public.windowsxp.setup_deployment)
    • Re: Publishing Nimda Logs
      ... Those boxes will very quickly become amplifiers / drones in DoS / DDoS ... Someone needs to gather support from ISP's and other networks who will ... agree to block data to / from networks that are: ... Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf ...
      (Focus-Microsoft)
    • Re: [Full-disclosure] SANS Top 20: Mac OS X?
      ... it's a better use of an overworked security geek's time to find the OS X boxes ... in their configuration... ... Only that there's a lot more OS X boxes that need proper setup and config than ... The problem is that there are enough OS X boxes on networks that are *NOT* ...
      (Full-Disclosure)
    • Re: Spreadsheet
      ... In the proverbial nutshell, if you're working in a Green Zone, you don't ... have to keep looking out for trains. ... If you're in a Red Zone, ...
      (uk.railway)