Sensor

The only purpose of the sensor is to be a transparant bridge between the client network and the tunnel/honeypot server. The sensor manages the creation and destruction of the tunnel that is used to connect the tunnel/honeypot server to the client network. The functions of the sensor can be summarized in 4 items:

  • Creation and destruction of the tunnel between the client network and the tunnel/honeypot server.
  • Certificate management for the sensor certificates used by OpenVPN.
  • Handling remote updates.
  • Updating status information to the server.

The certificates on the sensor are used to create and secure the tunnnel and to identify the sensor at the tunnel/honeypot server. At the first time the sensor is booted, the sensor will request an unique certificate. As of this moment, the sensor is unique and can be identified based on the certificate name. The sensor uses a few scripts to handle the updates, the tunnel and user interaction. These scripts can be remotely updated when there are new versions available. This method of updating makes sure that there's little action required to actually update all of the sensors that are deployed. Once each hour the sensor will check if there are new updates available, if so, it will start the downloads and authenticate the new version of the scripts. Along with these hourly update checks, status information is sent from and to the sensor. This enables the server to keep track of the sensor status and to remotely perform certain actions (such as enabling the SSH daemon, (re-)starting the sensor, disabling the sensor, etc).

What do you need?

The sensor has been created with the Plug and Play principle in mind. To run a sensor you will need:

  • 1GB USB stick
  • Hardware with at least 1 NIC
  • Hardware able to boot from USB
  • Firewall accepting outgoing connections from port 1194 and 4443(or 443)

The 1GB USB stick has been chosen to enable remote updates of all the required sensor and OS files. The hardware that will be used to run the sensor needs to be able to boot from USB and has at least 1 Network Interface Card to enable a connection to your network and the tunnel server. The advantage of USB boot is the ensurance that new hardware will be used, hence there is less chance of problems with the hardware, and the ability to remotely update the sensor. The ports on the firewall that need to be open are 1194 and 4443. Port 1194 is used by OpenVPN for setting up the tunnel to the tunnel/honeypot server. Port 4443 is used for the remote updates and the status information exchange between the sensor and the server. The connections will always be initiated by the sensor, hence only outgoing connections toward the server on these ports need to be accepted.

 
global/sensor.txt · Last modified: 2012/07/12 11:27 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki