Network topology of the Trivadis honeynet. The various honeypots are set up as VMware guest operating systems for easier maintenance and cost efficiency. All network traffic is logged and archived on a dedicated server.

Data Control Network

Here are located all our honeypots and services that we would like to analyze. Special note on the IDS server in the middle that has three NIC. The two on the data control network are bridged (no IP) and one is used in the administrative network. The bridged network is where all the network traffic is flowing. In case that a signature is no more interesting for use, we’ll drop the package using Linux iptables.

Administrative Network

This network is used for the administration of the firewall and for sending syslogd and samhain (host based IDS) data. Only the TCP/UDP ports required for logging are open to the other network.

Border Router

This router seperates the honeynet from the wild Internet. It is a standard Internet router and not secured so it doesn’t raise suspiction to the blackhat community.

Checkpoint NG Firewall

This firewall is used to protect the world from compromised systems and limit outbound connections. In normal condition the honeynet is fully transparent to the Internet. Have a look at the firewall rules setup.

Linux Firewall, Snort/IPtables IDS

This firewall is set up in bridged mode (no IP) and not as a router as it is usual for common firewalls. Therefore it remains invisible to the blackhat community attacking our honeynet. The TTL (time to life) value of the IP packets is not altered either. Usually bridges are used to transparently connect two different kind of physical networks up to the data link layer (e.g. Ethernet and a Wireless LAN). The advantage of this setup is obvious:

  • The IDS gateway sitting in the middle of the data control network has no IP and can not be attached with OSI layer 3 or upper attacks. These type of attacks are the most common.
  • Invisibility from outside (stealth). An cracker can only see that something is sitting in the middle (a MAC address), but can not find out what exactly it is. But since the MAC layer is invisible from a routed Network the cracker will only be aware of this when he had compromised the Checkpoint NG firewall.

Modular Syslogd Server

The syslog server is for collecting and archiving the various logfiles of the firewalls, Snort network IDS, Samhain host IDS and system logfiles of the guest operating systems. It is located in a dedicated administrative network The logs are stored in a MySQL database.

RealSecure Manager / Network Sensor

For additional monitoring and intrusion detection we set up RealSecure Network Sensor, which is a commercial, powerful but very expensive network IDS. Unfortunately the workgroup manager and network sensor currently runs on Windows. Because Windows does not allow interfaces without IP address the system is visible for the blackhat community and could raise suspiction. To give a minimum of protection we installed Tiny Firewall on it.


The Honeypots are set up as VMware guest operating systems in bridged mode, each with an own IP address. To the blackhat community they appear like physical computers connected to the Internet through a normal router. The host operating system is RedHat Linux 7.2 set up with a bridged ethernet card and no IP address so they remain invisible to the blackhat community.

Currently these operating systems are installed:

  • OpenBSD 3.0
  • RedHat 7.2 Linux (DNS, NTP and Apache HTTP server)
  • Solaris 8 (x86 Version)
  • Windows 2000 Advanced Server (MS IIS Server)
  • Windows XP (Home Edition)

All these operating systems are set up with default settings and are updated to the latest patchlevel. They are not explicitely made secure or hardened in any way, exept that on each Samhain in stealth mode is installed to monitor file changes. On these system the most commonly used network services are installed to find out how secure they are.