IDS mailing list archives
RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
From: "Adam Powers" <apowers () lancope com>
Date: Sun, 15 Dec 2002 21:43:51 -0500
I would also be curious to know how you deal with NATed addresses and proxies when you're relying on OPSEC or other firewall policy change-o-matic technologies? Example: If I'm a bad guy accessing a server protected by ActiveScout from behind Company A's corporate NATed address(es), how do you prevent all the other users at Company A from being DOSed out of accessing the resources on the protected server? -----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Sunday, December 15, 2002 5:51 PM To: focus-ids () securityfocus com Subject: Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Oded, I have a few follow-up questions. Since you guys surely have the proper intellectual property protection methods in place, I was hoping you could explain in a bit more detail: On Sun, 2002-12-15 at 12:15, Oded Comay wrote:
- It is independent of the payload of the attack. This enables
detection
of attacks not known to the security community.
Please define 'independent of the payload', perhaps in a example. Right now it sounds as if that sentence was taking of a marketing slick.
- It is not sensitive to whether the attack comes from the same source
(IP
address) as the reconnaissance. Au contraire: this is actually where
it
shines.
And here is where I'm really curious about. How do you relate a packet from IP address A to a scan that came from IP address B a week ago? Consider using a simple class C with web, dns, and mail servers as an example.
- The detection is extremely accurate, allowing for automatic blocking
to
be enabled without fear of blocking legitimate business.
I would assume you are making use of a white-list. Would I still be able to block half of the Internet through spoofs? Or are you watching the completion of the initial 3-way h/s to avoid spoofs?
- Attacks are detected at an extremely early stage, when the payload usually has no impact (yet), allowing time for effective blocking
(using
a firewall, or tearing down TCP connection before the TCP window
opens
up).
Uhm... how can you determine if the data constitutes an attack when there is no payload yet? I'm mostly curious about the IP address claim. What kind of marker do you use to identify an 'attacker' (read, human) so that you can say with accuracy that it is the same guy now on this IP who was here days ago on an other? I'm really more concerned about the solution to the technical challenge. I hope you can explain it publicly without a Non-Disclosure. After all, your technology should be protected through patents and what-not. There have been other vendors in the past who openly explained the technology behind their products, and those vendors are still in business. Please don't be afraid, but satisfy out longing for the technical truth, now that you sparked our interest... Regards, Frank
Current thread:
- ForeScout ActiveScout (was: Re: Intrusion Prevention) Oded Comay (Dec 15)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- <Possible follow-ups>
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Adam Powers (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dudley, Brian (ISS Chicago) (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 17)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dug Song (Dec 17)