Tunnel server

The tunnel/honeypot server can be separated into 2 parts. The first part is the tunnel server. The sensors will be initiating tunnels to the server which need to be accepted by the tunnel server. For this xinetd is running on the server to detect incoming tunnel connections. Openvpn will then be started for each tunnel. The tunnel end-point on the server is called a tap device. This is a virtual interface which delivers the traffic from the tunnel on the server. The tap device will receive an IP address from the client network address pool. This will make the server virtually present in the client network. Source-based routing is used to make sure that traffic from the tunnel gets routed back to the client network and to prevent routing loops. The process of starting up a client can be divided into the following steps:

  • Sensor machine boots up.
  • Sensor checks if it has a certificate.
  • If the sensor doesn't have a certificate, it will request one from the server.
  • Sensor starts up the tunnel connection to the server.
  • Xinetd on the server detects an incoming connection.
  • Server scripts are started to handle the creation of the tap device, IP assignement and routing rules.
  • Tap device is created and gets an IP from the client network address pool (either statically assigned or by dhcp).
  • Tunnel is active, the honeypot will now detect all incoming connections and analyze it.


To analyze the traffic that comes through the tunnels we use a honeypot called Nepenthes. The logging from the honeypot and other analysis software is stored in a postgresql database that's running on the logging server. The advantage of using a honeypot as our main analysis tool is the fact that a honeypot can guaruantee 0 false positives. The information can be taken for 100% reliability. This provides an advantage over techniques like netflow analysis, firewall logging tools, etc.

global/tunnel_server.txt · Last modified: 2012/07/12 11:27 (external edit)
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki