Figure 1 - Honeynet with one honeypot and management host using a shared network
This section shows various network wiring diagrams for a honeynet, using 10 Base-t (twisted pair) ethernet cabling.
For the initial honeynets being deployed by the Pacific Northwest Honeynet Alliance, it is recommended that only a single honeypot be used with one honeywall. Additional, single honeypot honeynets can be built as resources allow. Two basic designs are shown for this configuration (one using shared network infrastructure, and one showing direct connections.)
Figure 1 - Honeynet with one honeypot and management host using a shared network
This diagram shows the network configuration and hardware wiring details for a single honeypot honeynet, using a honeywall and mangement host on the same network. In this configuration:
All cables shown as green are standard twisted pair cables.
2 Hubs or switches are used to connect interfaces together, along with 5 cables.
The management host only needs to have one network interface.
Figure 2 - Honeynet with two honeypots and management host using a shared network
Figure 2 extends the design to include multiple honeypots off the internal interface of the honeywall.
This design, while simple and easy to understand, also has some serious security implications on the outside of the honeywall.
An attacker who is able to compromise a host on the same network segment as the honeywall and management host (i.e., attached to another port on the switch/hub on the left) can monitor all traffic on the segment. Any alert email messages that are sent out using unencrypted SMTP transactions, or unencrypted syslog UDP traffic, could be seen by the attacker. This exposes not only the honeypots themselves, but also the mangement host and honeywall. These will then become targets themselves, or the attack can disrupt, corrupt, or monitor externally logged data.
This is a serious risk in a production environment and should be avoided by using the more complex design that follows.
Figure 3 - Honeynet with one honeypot and management host and direct connections
This diagram shows a similar network configuration for a single honeypot honeynet, only this time the honeywal<->honeypot connection and honeywall<->mangement host connections are direct. In this configuration:
All cables shown in green are standard twisted pair cables.
All cables shown in red are cross-over twisted pair cables. Cross-over cables eliminate the need to use hubs or switches to connect two 10 Base-t interfaces together.
The cross-over cable on the internal side of the honeywall is only for convenience (see below for a multi-honeypot configuration using direct connections.)
Only one hub or switch is needed to connect interfaces together outside the honeywall, with 2 standard twisted pair cables and 2 cross-over cables for direct connections.
The management host needs to have two network interfaces.
Figure 4 - Honeynet with two honeypots on a shared network and management host using a direct connection
The main benefit to these last two configurations is that communication between the honeywall and the mangement host is entirely segregated (and thus hidden) from the shared network on the left. Nobody can see the honeywall, unless they first compromise the management host. (The management host in this diagram only needs to have a connection to the hub/switch on the left if it needs general Internet or intranet connectivity.)
Your honeywall hardware should fit the following minimum specifications:
At least a Pentium II 450 MHz processor
At least 512MB of RAM
At least three NICs (either three single port NICs, or one single
port and one dual port NIC, such as the Intel Pro 100 Dual
Port Server Adapter.)
Preferred NIC Drivers: 3com 3c509x or Intel Pro Series
One hard drive with at least 20GB to 40GB capacity.
One 18x or higher CD-ROM drive
One 3.5" 1.44MB floppy disc for external configuration
Figure 5 shows an example of a typical configuration, priced out from Mwave.com (chosen simply as an example; this does not imply Mwave.com is the best or only place to get this hardware.)
Figure 5 - Example hardware configuration for a honeywall (Shuttle)
Other options for similar hardware systems include the iWill XP4 Mini-PC
Figure 6 - Example hardware configuration for a honeywall (iWill)
Minimally, the management host can be any workstation that has an SSH telnet client to access the honeywall remotely. However, if you plan use the management host to hold images, logs and receive alerts, we reccomend the following:
As fast a processor as you can afford
At least 512MB of RAM
At least one NIC (two for direct connection to the honeywall for management)
At least one hard drive with >= 80GB capacity (if you will be storing compromised host images on this system, it is recommended you get multiple drives of 100GB or larger)
One CD-RW drive to burn ISOs
One 3.5" 1.44MB floppy disc for external configuration
Honeypot configuration is more flexible, as it only needs to be big and fast enough to run whatever operating system you wish to install.
At least a Pentium II 450 Mhz processor
At least 512MB of RAM
One NIC (supported by the OS)
One hard drive with at least 10GB capacity. Smaller hard drives allow for shorter image creation times
One 18x or higher CD-ROM drive
One 3.5" 1.44MB floppy disc for external configuration or USB port for USB drive for copying OS log files off honeypot