NetFacade beats hackers at their own game
- By Steve Jefferson
- Jun 14, 2000
There is a five-sided building near Washington, D.C., that employs a rather
unique method of physical security: they make it easy to get in, but very
hard to get out. Everyone found lost in the maze of tricky passages can
be presumed an intruder.
It takes a lot less effort to catch the ones that get in, the thinking goes,
than to keep everyone out. This is exactly the logic behind a network security
application from GTE Technology Organization.
Appropriately named GTE NetFacade 1.2, this honey-pot security server runs
on a Sun Microsystems Sparc system and creates a bogus network to entice
hackers. Any activity on the bogus network is considered inappropriate and
NetFacade records all actions to help catch the intruder.
NetFacade is designed to work with, not replace, an intrusion detection
system (IDS), which looks for suspicious packets on a network. But NetFacade
has two distinct advantages over firewalls and IDS systems.
First, by adding up to 255 bogus machines to your network, it dramatically
cuts down your chances of having a real machine get hacked. Secondly, by
keeping detailed records of what the intruder was attempting to do on the
bogus network, you can gain valuable intelligence on how you can tighten
down your regular network. For example, if someone tries to dial into one
of the facade servers with a real user name and password, you can be sure
it's time to change it and review your network password policies.
Installation was very easy, thanks to a detailed and well-written installation
guide. It had me check to see the system was properly configured and walked
me through any configuration files that needed to be edited. Once configured
and running, the Solaris box becomes a hardened server dedicated to the
NetFacade application. Anyone with minimal Solaris experience and a basic
understanding of their network can get this up and running in less than
half a day.
There is one fundamental choice to make when installing NetFacade: whether
to put it inside or next to the firewall. By placing it next to the firewall,
hackers undoubtedly will find the synthetic network an easier target than
trying to figure out what you have behind one of those IP addresses. But
by placing it behind your firewall, and next to or even integrated with
your real network, you can determine and trace internal hacks, which are
much more likely to be dangerous than those from the outside.
I chose to set it up behind the firewall and on the same subnet as my real
network because setting it up outside the firewall would have required a
bulk of IP addresses to cover the bogus hosts that NetFacade sets up. Behind
the firewall, I could assign as many non-routable IP addresses as I wanted.
A remote machine via a World Wide Web browser handles administration of
NetFacade. The included Apache Web server and Covalent Raven SSL and certificate
server makes administration not only easy but secure. Most importantly,
well-designed Web pages give the administrator easy access to the fairly
comprehensive configuration and administration options.
Within minutes, I configured NetFacade to create an arbitrary 40 hosts and
30 users. NetFacade automatically generated the names of the machines, operating
systems they would emulate and services (such as FTP and Telnet) that each
would pretend to provide. In addition, it came up with realistic-sounding
I was able to edit, delete or add my own users and hosts, as well as create
banners to make the Telnet and FTP services seem more believable.
After I got it all up and running, I called up security expert and hacker,
Stuart McClure, president of Foundstone, a security and training company
based in Irvine, Calif., to hack in and see what he could find. To facilitate
the process, I created an account for him on a real Linux box on the network,
as one might with any number of contractors.
Within a few minutes, e-mails from the NetFacade server flooded my inbox,
warning me of more than 200 violations of the network. Soon, the phone rang.
McClure's report, in short, was that within a short time he had smoked my
Following his standard routine, he soon learned that most of the hosts
on the network shared the same media access control address (MAC) a bright
red flag to any hacker. The problem lies with the fact that it is illegal
to spoof MAC addresses, which must be unique for every physical NIC they
are intended to designate. GTE acknowledged this and said in the next version
they will be able to supply a hardware version that works around this problem.
Despite McClure's acumen, it was too late. I had detailed records of his
actions including usernames and passwords he tried to access and the machines
he had probed, scanned and attempted to connect to. With a little homework,
I had more than enough information to properly deal with the intruder. Further,
if McClure had actually been breaking in from the outside, he would not
have had access to the MAC addresses and may never have guessed what was
In fact, the synthetic network and hosts were believable enough for McClure
to try to verify usernames through the SMTP port and try a few Telnet logins.
Most importantly, he was not able to determine which of the bogus machines
hosted the NetFacade network. If he had been able to figure it out, he could
have purged the log files or otherwise damaged the NetFacade machine and
covered his tracks.
My only real complaint with NetFacade was related to technical support.
In my case, there wasn't any. When I called, pretending I needed help configuring
the e-mail alert functions, all I got was an answering machine asking me
to leave a message. Although I was promised a prompt return, I did not hear
back from them.
Overall, I was impressed with the ease of use and comprehensive information
NetFacade was able to collect about the intrusions. The product's only flaw
was the result of a law that makes it illegal to spoof MAC addresses. But
if the hacker is smart enough to see that, he will also be smart enough
to know you are watching him, making the rest of your network an unattractive
proposition at best. NetFacade is a valuable addition to your network defense
system and should be considered by anyone in charge of a network hosting
Jefferson has been covering technology for 7 years and
is a freelance analyst and writer based in Honolulu.