Zac, I think there could be a scarier scenario if a malicious user gets access to the proxy: telling all remote machines to wipe/lock-out next time they have a network connection. How confident are you that all remote users are fully backed up?

AG, I do like that the default is to restrict access to everything by default, but I don’t think that this will necessarily help an organisations security posture over VPNs. I’ve seen just as many VPNs allow full access between ‘trusted’ locations running on devices with a default deny policy as those with default allow.

It won’t take long before there are plenty of how-to guides suggesting allow everything to get it working with a largely ignored footnote suggesting that you lock access down to suite your specific environment. Experience makes me pessimistic, an environment will only be as secure as the admin makes and most (rightly or wrongly) seem focus on getting functionality working first over security. Hopefully time will prove me wrong.

I had some misgivings too, but the impression I get is that this is actually going to end up being more restrictive than a vpn in many cases, since you need to enable every service you want it to access. Lots of vpns I’ve seen give full access to everything since thats the default and the most convenient, with direct access the default is deny until the admin sets it up.

Some other advantages are that if a computer gets stolen, it will still connect in automatically using the computer account even if the thief doesn’t know the user password to log in. You can then use this to either try and track its location via IP, or perform a remote wipe. In most cases the thief won’t be aware this is going on until its too late.

thanks for giving me your take on DA, I always like to hear what others think, especially on a topic where my own knowledge is limited. There wasn’t a demo of the technology last night so I didn’t have the chance to actually see it running I can kind of see the appeal from an ease of use perspective, but I’m not sure what is so complicated about the current solutions (VPN, etc.). Likewise, I can see the appeal of better management of the remote systems.

Everything is a trade-off between usability, price and security, my personal feeling at this point is that it trades too much security for not enough gain, but I am a paranoid security guy. But unfortunately I’m starting to agree with you, as security usually takes a back seat to usability and the ’shiny’ factor this could take off, for better or worse.

As far as ease of use and streamlining into the OS I couldn’t be more impressed. It would also blow holes in a firewall trying to figure out a connection. I am not sure what all security settings they had setup, but it would honestly tunnel out to ‘home’ on any open port it could find. You could even close ports as it was running and it would dynamically switch to an open port, even going out on 80 if it had to.

The one thing that he said is that it honestly allowed administrators more control of the roaming machine since settings could be changed on the fly anytime it connected. It also allowed more seamless integration with the home network since it would map drives, printers, and even let you use internal DNS requests.

But like you all I could think of was this was pretty much running a split tunnel, allowing the attacker to access the laptop then have free reign of the home network. Granted you can limit access to subnets, devices, and all of that, but once you start limiting things it no longer becomes seamless to the user and they will complain.

I honestly think it will take off. People like ease of use, and from what I could tell DA sure made that possible.

if I have your setup correct you have Nepenthes/Dionaea is running on the laptop, with the modem routing any traffic (or specific ports) from it’s external interface to the IP address of the honeypot service running on the laptop? Assuming my understanding is correct then you should have the setup correct.

Have you tested your Nepenthes/Dionaea installations locally to remove the network from the equation? Either from a second machine, or the laptop itself, can you communicate with the emulated services? and can the honeypot log this interactions?

Can you confirm that the port forwarding configuration correct? From an external location will traffic directed to your modem’s external IP address be routed through to your laptop. A simple test to take the honeypot configuration from the equation would be to setup a listening netcat session on your laptop and try to connect from an external location, assuming the connection is successful anything typed on one side of the connection should be echoed to the other. If this does not work then hopefully your modem’s logs should aid in tracking down the issue, although depending on device your mileage may vary.

Finally depending on your connection, your ISP may be filtering some inbound traffic to your IP address, mostly in an effort to protect ‘normal’ users from the kind of malicious activity monitored by the honeypot. Unfortunately if this is the case then no amount of configuration on your end will resolve the issue. If this is the case then you may be able to get the restrictions removed by contacting the network support team by your provider, but again your mileage may vary.

Hope this helps, happy honeypotting