Desarrollo de la propuesta de animación a la lectura

ManTrap can do much more than most honeypot solutions, but it also introduces greater risk. Organizations have to understand these issues and mitigate these risks before deploying ManTrap systems. There are four areas in which ManTrap introduces risk: outbound access, complexity, signatures, and jail breaks.

Outbound access is a risk of any high-interaction honeypot. ManTrap cages are functional Solaris operating environments. These cages give attackers access to a wide range of capabilities. The more the attacker can do, the more you can learn. However, the more an attacker can do, the more damage he can potentially cause. Intruders are very good at identifying and breaking into vulnerable systems. Once they have hacked into a ManTrap cage, what is to stop them from moving forward and hacking into other systems? Nothing—there are

no mechanisms to stop attackers from using a compromised cage to launch denial of service attacks, scan other networks, or launch exploits against other vulnerable systems. This risk is demonstrated by the dtspcd attack discussed earlier in the chapter. Once the attacker had access to the cage, he attempted to use it for denial of service attacks. There is great risk that, once compromised, a cage will be used to harm other systems. Our intruder has already demonstrated that he does not have good intentions.

To reduce such risk, some type of external data control mechanism must be used. The purpose of this mechanism is to ensure that cages cannot be used to harm other nonhoneypot systems. This cannot be done on the honeypot itself, since the attacker will most likely control that resource. Instead, the data control has to be done off the honeypot, most likely on another system at the network level. An example would be a firewall. A firewall in front of a ManTrap system would allow anything inbound to the honeypot but not allow anything outbound. This would prevent the honeypot from being used to attack other systems. In the case of the dtspcd attack, the ManTrap honeypot was deployed behind a firewall. The firewall successfully blocked the denial of service attempts, protecting other systems from harm. In Chapter 11, we go into far greater detail about advanced data control mechanisms.

The second risk associated with ManTrap is complexity. Configuring and maintaining a single operating system is a complex operation. Mistakes commonly happen, exposing the system to risk. For example, an administrator may leave a vulnerable service running when he thought he had disabled it or perhaps leave a copy of his password in e-mail. The sendmail configuration file has been corrupted, so alerts are no longer sent to the correct individual. Such mistakes happen on a daily basis. The greater the complexity of the system, the greater the chance of something going wrong. ManTrap can be a complex solution.

The third risk is that, as with all honeypots, an attacker may be able to detect the true identity of a ManTrap cage. It is very difficult to remotely detect a ManTrap honeypot. Since the IP stack of each cage is a true Solaris IP stack, it behaves at the network level as an attacker would expect. There is no emulation of network activity. For example, if an attacker uses active OS fingerprinting methods against a ManTrap cage, the attacker will interact with and detect a valid Solaris operating system. However, once an attacker compromises and accesses a cage, she may be able to detect the true nature of the system. This is due to the modifications made to the Host kernel: System activity may be affected, and an attacker may notice discrepancies in how the cage behaves. Perhaps there is an odd syslog message in the log files or a command that does not behave as it would on a valid system. ManTrap has eliminated most of these signatures, but it is possible for an advance blackhat to detect the true identity of a ManTrap cage. However, even if, once in a cage, a blackhat detects the honeypot's true identity, the honeypot has already fulfilled most of its mission. It has detected, captured, and alerted an organization to the activities of the attacker. If the attacker identifies the true nature of the cage, it is most likely already too late for them.

Last, there is always the potential that the Host OS may be compromised. An attacker might somehow break out of the cage or communicate directly with the Host system. When this happens, the Host system can act as a gateway to internal network. Once a cage is compromised, an attacker may be able to go through kernel space and access the Host IP address. One method to reduce this risk is to disable the IP stack on the Host system and use a serial connection for administration instead. Even if the Host system is compromised, there is no IP stack on the Host system, nor any network connection to the internal network, for the attacker to compromise. Another idea would be to deploy the administrator station on a separate network, such as a dedicated administration network. This way if the Host system is compromised, the attacker is contained to an administrative network. We discuss dedicated management networks in greater detail in Chapter 12.

Summary

ManTrap is a commercial, high-interaction honeypot created, sold, and maintained by Recourse Technologies. Its advantages and disadvantages are summarized in Table 10-1.

We will now move on to the last of our honeypot solutions and the one with the greatest level of interaction: Honeynets.

Table 10-1. Features of ManTrap

Detects activity on any port using a built-in sniffer. High-interaction functionality means attackers can potentially use the system to harm other systems or organizations.

Gives attackers a full operating system to interact with.

Attackers may be able to fingerprint or break out of a ManTrap cage they have accessed.

Captures all attacker activity through kernel space, including encrypted traffic such as SSH.

Limited to the Solaris operating system, using Full Developer install.

Excellent logging capabilities.

Remote capabilities, including e-mail alerts and remote administration, make it an enterprise solution.

References

[1] ManTrap Web site http://www.recourse.com

[2] CERT® Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind http://www.cert.org/advisories/CA-1999-16.html

[3] Berny Goodheart and James Cox. 1994. The Magic Garden Explained. Englewood Cliffs, NJ: Prentice Hall.

[4] CERT® Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess Control Service http://www.cert.org/advisories/CA-2002-01.html

Chapter 11. Honeynets

As we have examined honeypot solutions in this book, we have progressed through increasing levels of honeypot interaction. This chapter concludes our look at specific honeypot technologies with the most complex of all—the Honeynet.