NetFacade beats hackers at their own game

There is a five-sided building near Washington, D.C., that employs a rather unique method of physical security: they make it easy to get in, but very hard to get out. Everyone found lost in the maze of tricky passages can be presumed an intruder.

It takes a lot less effort to catch the ones that get in, the thinking goes, than to keep everyone out. This is exactly the logic behind a network security application from GTE Technology Organization.

Appropriately named GTE NetFacade 1.2, this honey-pot security server runs on a Sun Microsystems Sparc system and creates a bogus network to entice hackers. Any activity on the bogus network is considered inappropriate and NetFacade records all actions to help catch the intruder.

NetFacade is designed to work with, not replace, an intrusion detection system (IDS), which looks for suspicious packets on a network. But NetFacade has two distinct advantages over firewalls and IDS systems.

First, by adding up to 255 bogus machines to your network, it dramatically cuts down your chances of having a real machine get hacked. Secondly, by keeping detailed records of what the intruder was attempting to do on the bogus network, you can gain valuable intelligence on how you can tighten down your regular network. For example, if someone tries to dial into one of the facade servers with a real user name and password, you can be sure it's time to change it and review your network password policies.

Installation was very easy, thanks to a detailed and well-written installation guide. It had me check to see the system was properly configured and walked me through any configuration files that needed to be edited. Once configured and running, the Solaris box becomes a hardened server dedicated to the NetFacade application. Anyone with minimal Solaris experience and a basic understanding of their network can get this up and running in less than half a day.

There is one fundamental choice to make when installing NetFacade: whether to put it inside or next to the firewall. By placing it next to the firewall, hackers undoubtedly will find the synthetic network an easier target than trying to figure out what you have behind one of those IP addresses. But by placing it behind your firewall, and next to or even integrated with your real network, you can determine and trace internal hacks, which are much more likely to be dangerous than those from the outside.

I chose to set it up behind the firewall and on the same subnet as my real network because setting it up outside the firewall would have required a bulk of IP addresses to cover the bogus hosts that NetFacade sets up. Behind the firewall, I could assign as many non-routable IP addresses as I wanted.

A remote machine via a World Wide Web browser handles administration of NetFacade. The included Apache Web server and Covalent Raven SSL and certificate server makes administration not only easy but secure. Most importantly, well-designed Web pages give the administrator easy access to the fairly comprehensive configuration and administration options.

Within minutes, I configured NetFacade to create an arbitrary 40 hosts and 30 users. NetFacade automatically generated the names of the machines, operating systems they would emulate and services (such as FTP and Telnet) that each would pretend to provide. In addition, it came up with realistic-sounding names.

I was able to edit, delete or add my own users and hosts, as well as create banners to make the Telnet and FTP services seem more believable.

After I got it all up and running, I called up security expert and hacker, Stuart McClure, president of Foundstone, a security and training company based in Irvine, Calif., to hack in and see what he could find. To facilitate the process, I created an account for him on a real Linux box on the network, as one might with any number of contractors.

Within a few minutes, e-mails from the NetFacade server flooded my inbox, warning me of more than 200 violations of the network. Soon, the phone rang.

McClure's report, in short, was that within a short time he had smoked my ruse.

Following his standard routine, he soon learned that most of the hosts on the network shared the same media access control address (MAC) — a bright red flag to any hacker. The problem lies with the fact that it is illegal to spoof MAC addresses, which must be unique for every physical NIC they are intended to designate. GTE acknowledged this and said in the next version they will be able to supply a hardware version that works around this problem.

Despite McClure's acumen, it was too late. I had detailed records of his actions including usernames and passwords he tried to access and the machines he had probed, scanned and attempted to connect to. With a little homework, I had more than enough information to properly deal with the intruder. Further, if McClure had actually been breaking in from the outside, he would not have had access to the MAC addresses and may never have guessed what was going on.

In fact, the synthetic network and hosts were believable enough for McClure to try to verify usernames through the SMTP port and try a few Telnet logins. Most importantly, he was not able to determine which of the bogus machines hosted the NetFacade network. If he had been able to figure it out, he could have purged the log files or otherwise damaged the NetFacade machine and covered his tracks.

My only real complaint with NetFacade was related to technical support. In my case, there wasn't any. When I called, pretending I needed help configuring the e-mail alert functions, all I got was an answering machine asking me to leave a message. Although I was promised a prompt return, I did not hear back from them.

Overall, I was impressed with the ease of use and comprehensive information NetFacade was able to collect about the intrusions. The product's only flaw was the result of a law that makes it illegal to spoof MAC addresses. But if the hacker is smart enough to see that, he will also be smart enough to know you are watching him, making the rest of your network an unattractive proposition at best. NetFacade is a valuable addition to your network defense system and should be considered by anyone in charge of a network hosting sensitive information.

Jefferson has been covering technology for 7 years and is a freelance analyst and writer based in Honolulu.