Re: [PEN-TEST] Recourse Technologies -- info wanted

[Ryan Permeh <ryan () EEYE COM>]

I have some qualms about putting a "target" on my network.  i understand
that they may facilitate tracking an attacker, but honestly, why not invest
your money into building a secure architecture in the first place?  A fake
"insecure" host or network may lead an attacker to find a vulnerable real
host there.  I understand a honeypot's use in an academic or research
environment, but as an enterprise appliance, it seems like a pretty poor
idea.  I agree with mark on building traps on existing insecure operating
systems, but i'd take it one further, an unkown, proprrietary operating
system isn't better.  just because no vulnerabilities have been found
doesn't mean that no vulnerabilities exist, and even honeypot designers can
make mistakes.
    A host based ids (or decent systems accounting)  paired with a integrity
checking system like tripwire can maintain the integrity of your system and
allow you to track user actions and attacks.  And it won't place a big
bullseye on your back at the same time.

as for back tracing, i'd like to see more information on this before making
any deep judgement.  i'm not going to say it's impossible, but i'd find it
hard to believe that anything man trap could do couldn't be replicated with
a sniffer or ids system.(packet inconsistanceies, etc can all be watched
for, as can sequences of out of sync tcp packets).
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "Mark Teicher" <mark.teicher () NETWORKICE COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Tuesday, October 03, 2000 8:40 AM
Subject: Re: Recourse Technologies -- info wanted


> Yes, I evaluated an earlier version of their ManTrap and ManHunt
> application prior to the recent release.
> It has a long way to go before it can be deployed in an enterprise type
> environment.  I had a lot of issues with them designing a HoneyPot like
> application on top of a known operating system.  It didn't really make
much
> sense to me, and still doesn't.  I have been trying to setup a meeting
with
> them to discuss the various issues and have continued to re-schedule so
> there I have given up providing them any information that may help them
> improve their product at an enterprise level.
>
> Supposedly they have a nifty BackTrace (hacker trace) and supposedly are
> able to reveal a SPOOFED IP address and reveal the real source of the
> traffic.  At InterOp, they could not demonstrate this for me.
>
> /mark
>
> At 07:05 PM 10/2/00 -0700, Andrew Teklemariam wrote:
> > Hello:
> >
> > Has anybody dealt with or know about Recourse Technologies
> > (www.recoursetechnologies.com) and its products?  Any info is
appreciated.
> > Thanks,
> > -andrew