Hi Ariel, This is indeed one of the use cases that is very relevant to, and can be supported, with the GBP model. The GBP policy actions provide a way to “redirect” to a service-instance/chain on matching a traffic classifier. If you are able to represent the “honeypot” functionality as a Neutron advanced service, or wrap it in an implemented service, then you can integrate it with today’s implementation. The GBP team will be happy to provide you with more information on how you can propose and implement any changes that you may need to make for this integration. Also, feel free to catch us in #openstack-gbp and/or during the GBP weekly IRC meeting [1].
Thanks, ~Sumit. [1] https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy On Tue, Jan 27, 2015 at 8:19 AM, Ariel Zeitlin <ariel.zeit...@gmail.com> wrote: > Hi, > I want to propose an idea of investigation of policy violations (for > white-list policies defined by GBP) by, for instance, redirecting the > violating sessions to a HoneyPot. > Meaning, that if the only communication between Group A and Group B is by > port 80 (as described in the GPB) then an access to port 22 from Group A to > Group B will be redirected to and answered by a HoneyPot that will > investigate the real reason for policy violation, or simply log and drop the > violating connection attempt. > > In tightly defined policies world as achieved through GBP an attacker trying > to propagate inside the network is more likely to hit a wall and then > actually create a "golden lead" for his detection. > > Do you think this concept can/should to be part of GBP and what would be the > best way to promote it (sorry, I am pretty new to OpenStack and GBP > specifically). > > Thanks, > Ariel > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev