​
OneFirewall DeceptionGrid

​
Overview

DeceptionGrid is OneFirewall’s global honeynet platform β€” a distributed network of high-fidelity honeypots deployed across strategically chosen geolocations. Built to attract, monitor, and study real-world cyber adversaries, DeceptionGrid transforms attacker activity into actionable threat intelligence. Each node in the DeceptionGrid network is designed to simulate a believable digital environment using a rich set of decoy services. By observing threat actors interact with these services, OneFirewall extracts telemetry, attack patterns, and behavioral indicators that enrich its Threat Intelligence Data Lake. DeceptionGrid serves as an early-warning radar for emerging threats and offers invaluable insight into attacker tactics, techniques, and procedures (TTPs).
Catch the adversary before they reach your perimeter.

​
Services Deployed per Honeypot Node

Each DeceptionGrid node simulates a wide range of services, categorized to attract diverse adversaries:

​
πŸ”’ Network & Remote Access

  • SSH (Port 22) – Secure shell for credential brute-force and key abuse.
  • Telnet (Port 23) – Simulates legacy devices and insecure admin access.
  • RDP (Port 3389) – Windows remote desktop environment.
  • OpenVPN/IPsec (Port 1194/500) – Corporate VPN gateway emulation.

​
🌐 Web & API Services

  • HTTP/HTTPS (Port 80/443) – Fake websites, admin panels, and CMS.
  • RESTful APIs (Custom ports) – Mimicking microservices or internal APIs.
  • WebSocket endpoints – For real-time protocol interaction analysis.

​
πŸ§ͺ IoT & OT Protocols

  • Modbus (Port 502) – Industrial control simulation.
  • MQTT (Port 1883) – Internet of Things (IoT) message broker.
  • UPnP/SSDP – Emulating smart home broadcast traffic.
  • BACnet (Port 47808) – Building automation system protocol.
  • Zigbee (Simulated stack) – Emulating wireless sensor activity.

​
πŸ’Ύ File & Data Access

  • FTP/SFTP (Port 21/22) – Insecure file transfer protocols.
  • SMB/CIFS (Port 445) – Windows file sharing with weak credentials.
  • NFS (Port 2049) – Unix/Linux network file system.
  • ElasticSearch (Port 9200) – Simulates open data analytics nodes.

​
🧠 Databases

  • MySQL (Port 3306)
  • PostgreSQL (Port 5432)
  • MongoDB (Port 27017)
  • Redis (Port 6379)
  • Cassandra (Port 9042)
These are configured with known vulnerabilities or weak configurations.

​
☁️ DevOps & Cloud Services

  • Docker Daemon API (Port 2375) – Exposed container runtime.
  • Kubernetes API/Kubelet (Port 10250) – Mimicking open clusters.
  • Jenkins (Port 8080) – Continuous integration tool interface.
  • GitLab CI (Port 8929) – Simulates self-hosted pipelines.

​
πŸ“¨ Email & Messaging

  • SMTP (Port 25)
  • IMAP (Port 143) / POP3 (Port 110) – Emulating enterprise mailboxes.

​
πŸ”— Authentication & Directory Services

  • LDAP/LDAPS (Port 389/636) – Enterprise directory services.
  • Kerberos (Port 88) – Windows domain controller simulation.
  • OAuth/OpenID Connect endpoints – Simulating federated auth flows.

​
πŸ“ž VoIP & Legacy Communication

  • SIP (Port 5060) – VoIP endpoint attracting toll fraud attempts.
  • XMPP/IRC – Emulating chat/C2 environments.

​
🎭 Application & Custom Decoys

  • Vulnerable Web Apps – DVWA, Juice Shop, fake ERP/CRM systems.
  • Fake Admin Portals – SCADA dashboards, CMS panels.
  • Geo-localized Interfaces – Banking portals or ISP panels specific to node region.

​
Deployment Architecture

Each DeceptionGrid node is:
  • Isolated and sandboxed for controlled observation.
  • Geographically distributed to maximize visibility across regions.
  • Tuned for low-interaction and high-interaction deception, based on the node’s risk tolerance and observational role.
  • Instrumented for full telemetry, including session recording, packet capture, and real-time alerting.

​
How It Works

  1. Lure & Engage: DeceptionGrid nodes respond to global scans and targeted probing with realistic service banners and behaviors.
  2. Record & Analyze: All activity is logged, enriched, and correlated in real time.
  3. Extract Intelligence: Attacker behavior is converted into IOCs, TTPs, and threat actor fingerprints.
  4. Feed Defense: Threat data flows into OneFirewall’s Threat Intelligence sharing platform for broader ecosystem protection.

​
Product Name

OneFirewall DeceptionGrid – The Global Honeynet
For integration or research partnerships, contact the OneFirewall team.