The tunnel/honeypot server can be separated into 2 parts. The first part is the tunnel server. The sensors will be initiating tunnels to the server which need to be accepted by the tunnel server. For this xinetd is running on the server to detect incoming tunnel connections. Openvpn will then be started for each tunnel. The tunnel end-point on the server is called a tap device. This is a virtual interface which delivers the traffic from the tunnel on the server. The tap device will receive an IP address from the client network address pool. This will make the server virtually present in the client network. Source-based routing is used to make sure that traffic from the tunnel gets routed back to the client network and to prevent routing loops. The process of starting up a client can be divided into the following steps:
To analyze the traffic that comes through the tunnels we use a honeypot called Nepenthes. The logging from the honeypot and other analysis software is stored in a postgresql database that's running on the logging server. The advantage of using a honeypot as our main analysis tool is the fact that a honeypot can guaruantee 0 false positives. The information can be taken for 100% reliability. This provides an advantage over techniques like netflow analysis, firewall logging tools, etc.