Honeypot Configuration with Firewalla Gold
I have just setup a honeypot (https://github.com/telekom-security/tpotce) and its working great on my internal network and needed advice on how to best expose it but still keep my network safe. This is what i'm currently thinking.
1) Enable and put the host in the DMZ
2) Set ingress firewall to "Allow - Any sources"
3) On the host in Firewalla I should turn off "monitoring" as I imagine I would be getting unnecessary alerts.
4) Create rule to block all "traffic from and to all local networks"
5) Make an allow rule to make an exception of 1 laptop which I will use to access the honeypot web interface by setting it to outbound only.
Is there anything else I should do or would this be sufficient?
Thank you for you time and help.
Marc
-
Thank you for your prompt reply. I have a couple of questions for you. Currently the honeypot is sitting in a network/subnet that has multiple other hosts. From testing blocking rules I found out that firewalla rules do not in fact work if they are in the same network/subnet. My questions are:
1) As this one host will be put in the DMZ, should it be compromised would an attacker have access to all the other hosts in that subnet?
2) Is firewalla able to detect malicious activity such as port scanning from this host to other hosts in the same subnet and/or other subnets?
Thank again!
Marc
-
I run Mysterium. I have a Firewalla Gold. I set up a new VLAN network just for this one device. Open the required ports to point to the computer (actually a VM) and turned monitoring off. Set rules that the entire network is not allowed to talk to any other network. and set up DNS to point to google. Seems to work just fine for me.
Please sign in to leave a comment.
Comments
4 comments