Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Recourse Technologies -- info wanted
From: Ben Rothke <brothke () EBNETWORKS COM>
Date: Tue, 3 Oct 2000 17:08:23 -0400

On the subject of Honey Pots, Steve Bellovin told me that the only real use
for a honey pot is to test how effective your firewall is.  More than that,
forget it.

As to capturing hackers (which many of the Honey Pot say their products do),
it sounds romantic, but you have to remember that when Cliff Stoll or Bill
Cheswick with Berferd, they had a lot of time.  And in the end Berferd was
never apprehended.  Cheswick concludes ‘Though the Jail was an interesting
and educational exercise, it was not worth the effort.’

Ben




Ben Rothke, CISSP <brothke () ebnetworks com>
Network Security Consultant
eB Networks, Inc. - Leading the way to eBusiness - at NetSpeed!
33 Wood Av. 5th Floor, Iselin, NJ 08830
Voice: 732/603-8882   Pager: 800/792-1811  Cell: 973/202-7921

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Ryan Permeh
Sent: Tuesday, October 03, 2000 1:01 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Recourse Technologies -- info wanted


I have some qualms about putting a "target" on my network.  i understand
that they may facilitate tracking an attacker, but honestly, why
not invest
your money into building a secure architecture in the first place?  A fake
"insecure" host or network may lead an attacker to find a vulnerable real
host there.  I understand a honeypot's use in an academic or research
environment, but as an enterprise appliance, it seems like a pretty poor
idea.  I agree with mark on building traps on existing insecure operating
systems, but i'd take it one further, an unkown, proprrietary operating
system isn't better.  just because no vulnerabilities have been found
doesn't mean that no vulnerabilities exist, and even honeypot
designers can
make mistakes.
    A host based ids (or decent systems accounting)  paired with
a integrity
checking system like tripwire can maintain the integrity of your
system and
allow you to track user actions and attacks.  And it won't place a big
bullseye on your back at the same time.

as for back tracing, i'd like to see more information on this
before making
any deep judgement.  i'm not going to say it's impossible, but i'd find it
hard to believe that anything man trap could do couldn't be
replicated with
a sniffer or ids system.(packet inconsistanceies, etc can all be watched
for, as can sequences of out of sync tcp packets).
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "Mark Teicher" <mark.teicher () NETWORKICE COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Tuesday, October 03, 2000 8:40 AM
Subject: Re: Recourse Technologies -- info wanted


Yes, I evaluated an earlier version of their ManTrap and ManHunt
application prior to the recent release.
It has a long way to go before it can be deployed in an enterprise type
environment.  I had a lot of issues with them designing a HoneyPot like
application on top of a known operating system.  It didn't really make
much
sense to me, and still doesn't.  I have been trying to setup a meeting
with
them to discuss the various issues and have continued to re-schedule so
there I have given up providing them any information that may help them
improve their product at an enterprise level.

Supposedly they have a nifty BackTrace (hacker trace) and supposedly are
able to reveal a SPOOFED IP address and reveal the real source of the
traffic.  At InterOp, they could not demonstrate this for me.

/mark

At 07:05 PM 10/2/00 -0700, Andrew Teklemariam wrote:
Hello:

Has anybody dealt with or know about Recourse Technologies
(www.recoursetechnologies.com) and its products?  Any info is
appreciated.
Thanks,
-andrew



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]