ForeScout ActiveScout (was: Re: Intrusion Prevention)

[Oded Comay <comay-nospam () forescout com>]

Greetings,

We have been following this thread with great interest. Sorry for jumping
in late; appreciating the technical quality of this forum, we wanted to
avoid anything that could be viewed as marketing pitch. I will do my best to
avoid it (and sweeping generalizations) in this posting as well. That being
said, some clarifications are in order.

To start with, ActiveScout is not an IDS. Judging it by NIDS standards and
criteria will do injustice to both technologies.

ActiveScout's core technology is based on a simple observation: Most
online intrusions are preceded by *some* sort of reconnaissance, which is
detectable by observing network traffic. Based on information collected
during the recon phase, an attacker may try to exploit the vulnerabilities
that have been discovered to penetrate the network.

Reconnaissance could be a simple-minded port scan, or any of its more
elaborate variants (including the stealth genres). However it goes far
beyond scans. A typical reconnaissance phase could consist of probing your
network with NetBIOS queries (looking for user names and/or host names),
It could be an SNMP GET request (or a set thereof), and so forth.

For an illustration of how ActiveScout works, consider this: Someone is
probing your network with NetBIOS, looking for user names, and gets some
such names. A week later, from a totally different IP address, someone is
using one of these user names to try and access your corporate FTP server,
gets blocked immediately, and is prohibited from any further access to
your corporate network.

The technology has several interesting attributes. To name a few:

- It is independent of the payload of the attack. This enables detection
  of attacks not known to the security community.

- It is not sensitive to whether the attack comes from the same source (IP
  address) as the reconnaissance. Au contraire: this is actually where it
  shines.

- The detection is extremely accurate, allowing for automatic blocking to
  be enabled without fear of blocking legitimate business.

- It is not dependent on the actual probing technique (e.g. simple TCP
  connect, FTP bounce, sent along with decoy addresses, etc.).

- Attacks are detected at an extremely early stage, when the payload
  usually has no impact (yet), allowing time for effective blocking (using
  a firewall, or tearing down TCP connection before the TCP window opens
  up).

These attributes enabled the creation of a product which is as "low
maintenance" as it gets: you just need to plug it into the network,
provide minimal initial configuration and it just works.

Considering that proper security design is always layered, you may very
well want to complement it with other technologies (such as NIDS),
provided that you have the resources required to manage those.

Chris Petersen presented an interesting and well thought-out analysis
based on website information. Some comments re this analysis:

- Chris focuses mainly on various port-scan probes as being recon. As
  depicted above, this is only part (albeit large, quantity-wise) of
  network-based reconnaissance. ActiveScout works well with those scans
  (all things nmap), but this is only where the fun begins. There are
  quite a few other ways to get "interesting" information about a network
  and its resources, which ActiveScout uses.

- Clearly, as Chris correctly analyzed, if ActiveScout's responses could
  be subject to fingerprinting, it would undermine the efficiency of this
  technology. Hence, the algorithms were designed in such a way that
  fingerprinting will be very difficult (not to say impossible).

- ActiveScout blocks intrusions either by working with your firewall
  (inserting temporary policy lines, such as with FireWall-1 SAM), or by
  using TCP RSTs. None of these are ForeScout's "inventions"; however, for
  TCP RSTs, it turns out that ActiveScout's use of them is quite
  effective, more so than, for example, NIDS. The reason is that the
  resetting happens at a very early stage of the TCP connection (contrary
  to sending it after hostile payload has been detected). Therefore, the
  chances for the race condition Chris mentions are slim, at best.

Karl Lynn asks whether there will be a problem if he "scans" from one
network and attacks from another. As mentinoed above, this is actually a
great feature of ActiveScout. Even if the "attacking" network address is
used sparingly, just for launching the actual attack (after recon done
using a different network block), ActiveScout will detect and block it
from accessing to the attacked network.

And we haven't said anything about the cool factor...

Thanks, and seasons greetings to all!

--

Oded Comay, CTO
ForeScout Technologies

-------------------------------------------------------

-------------------------------------------------------