A DMZ does nothing to protect the rest of your network from a hacked honeypot. All it does it tell th router where to send incoming packets that aren't addressed to machines on your network.
No, not at all, that's a false assumption. Ports you're using for servers wil still be forwarded to those servers so they'll still be vulnreable and a honeypot will never see traffic on those ports. And once your honeypot has been hacked, your entire network will be vulnerable.Apart from that, if you run several servers at home then ports are inevitably open, so the honeypot makes it more secure
Depends on what you call "DMZ".thagrol wrote: ↑Sun Jul 22, 2018 12:31 pmA DMZ does nothing to protect the rest of your network from a hacked honeypot. All it does it tell th router where to send incoming packets that aren't addressed to machines on your network.
Think of it as a default rule for port forwarding.
A DMZ does not isolate the machine in it from the rest of your network.
Yeah, can't argue with that but I was assuming the OP has a consumer grade router in my posts above.epoch1970 wrote: ↑Sun Jul 22, 2018 1:47 pmDepends on what you call "DMZ".
- In consumer-grade products what DMZ means is "forward any port to host X". It's just a form of port forwarding and nothing tells what happens when the DMZ machine is taken over.
- In more "advanced" products you can manage multiple networks, say a LAN and a DMZ (for that single host). In this case the DMZ can be isolated from the LAN, at least until the router gets hacked.
Yep, but seting one up safely (i.e. with minimal risk to other machines on your LAN) will take more knowledge and experience than the OP appears to have. And no, I can't help with that setup. I've never done this, and don't intend to set one up. The risks far out weight the minimal benefits.A honeypot or IDS in general is a network security experiment, and could be of interest as such.
Second that, but if the OP still wants to put a host in a DMZ, they'll learn the hard way why it's a bad idea.It is not a practical way of improving the level of security/privacy of a network; for this, staying under the radar and silently dropping unwanted traffic is (still) the best way to go.
While it usually works to copy a live root filesystem to a new SD card mounted in a USB card reader, you are right in thinking it is better to make a copy when the filesystem is not root mounted.