|
Getting Started
Configuration Questions
Problems and Errors
CDROM Customization
VMWare Questions
What is the purpose of the CDROM?
Honeynets are time consuming to build and deploy. One of the most difficult
components is the Honeywall gateway, the physicaly device that acts as Data
Control and Capture. Traditionally, this was built by manuall combining a variety of
tools (see Know Your Enemy: Gen2 Honeynets for more
info). The Honeywall CDROM attempts to make deployments easier as all the tools
and configuration files are supplied on a single CDROM ready to go. Also, the
CDROM allows organizations to standardize their deployments, making them easier
to manage and centralize/analyze the data they collect.
What OS is the CDROM based on?
The CDROM is based on a modified version of William Salusky's
FIRE CD.
Does the CDROM come with the honeypots?
No, the CDROM only boots into a layer two (or layer three if you choose) gateway
that implements Data Control and Data Capture. For honeypots, you have to place
them behind the Honeywall gateway.
Why is the CDROM considered Beta?
The CDROM is very complex in that it is running a variety of different tools
that are doing jobs they were never expected to. We would like to have the
community beat the CDROM up for several months before we can consider this
a production solution.
How do I determine which physical ports eth0, eth1, and eth2 are on?
First, keep in mind the Honeywall CDROM makes the following assumptions. You can
change this behavior in the menu, but below is the default.
- eth0 is the "Internet" or outside Interface
- eth1 is the LAN interface (Honeypot side)
- eth2 is the Management interface
- br0 is the virtual bridge interface (eth0 + eth1)
So now the trick becomes, on the back of your computer, which physical port is
eth0, eth1, and eth2? Tis no simple task. However, we recommend the following.
- Bring all eth interfaces down except eth0.
- Flood eth0 with traffic (ping, Nmap, etc... )
- Watch which lights at which port at the back of the computer go mad, this is eth0.
- Repeat for other eth interfaces.
Once configured and rebooted the Honeywall, how can I launch the
Menu interface?
After you Setup and reboot your Honeywall, you will notice you no longer automatically given the
Menu interface. This is to give your Honeywall some minimal physical security. To startup
the Menu interface, as root at the command line type the command menu.
Why am I getting false alerts of outbound activity?
There is a problem with IPTables. At times, it will fail to properlyl track state
and count outbound ACK, RST or FIN packets as a new connection, when in fact they
are part of an established inbound connection. There is nothing we can do about this
until the problem is addressed in IPTables.
What is the purpose of customization?
The CDROM comes with a menu that allows you to configure your Honeywall
CDROM. However, some organization may want to customize their Honeywall
before they burn it (such as adding new binaries, modifying configuration
files, creating PGP or SSH keys, etc). This allows an organization to create
and customize multiple Honeywalls, then send the preconfigured CDROM's to
different administrators. You can learn more about customization at
Dave Dittrich's
Customization Site
Can the Honeywall CDROM run in VMware for deploying Virtual
Honeynets?
Yes. You configure all your guest operating systems with a single host-only
network adapter and Honeywall with one bridged and one host-only network adapters.
To learn more, check out the paper
Deploying Honeywall Using VMware.
Do I need SCSI or IDE drives on VMware?
Currently Honeywall works on IDE drives only. You can configure IDE drive
from Advanced Virtual Disk options in VMware. Future version of Honeywall
CDROm should support SCSI.
When I boot up with Honeywall CD, I get an error saying "PCI :
Cannot allocate resource region 4 of device 00:07.1". What does it mean?
Normally, you get an allocation resource error when VMware is not able to properly
communicate with the host devices. The error can be ignored, as it doesn't stop Honeywall
from booting.
Why can't the CDROM detect my hard drive?
There can be multiple reasons for not detecting the hard drive. The hard drive
might be SCSI. The hard drive size might be under 500 MB. Make sure that you boot
with an IDE hard drive and it has disk space more than 500 MB. Honeywall uses 500
MB disk space for swap and remaining for storing the logs.
The Honeywall doesnt seem to work in vmware, I get ARP packets
and occasional broadcast but that is it. What Gives?
Check to ensure that you have proper permissions to put the interfaces into promiscuous
mode. ie. run vmware as root.
|
