IDS mailing list archives
RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
From: "Matthew L. McGuirl" <mmcguirl () lucidsecurity com>
Date: Mon, 16 Dec 2002 14:13:41 -0500
-----Original Message----- From: Adam Powers [mailto:apowers () lancope com] Sent: Sunday, December 15, 2002 9:44 PM To: Frank Knobbe; focus-ids () securityfocus com Subject: RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
I would also be curious to know how you deal with NATed addresses and proxies when you're relying on OPSEC or other firewall policy change-o-matic technologies?
Example: If I'm a bad guy accessing a server protected by ActiveScout from behind Company A's corporate NATed address(es), how do you
prevent
all the other users at Company A from being DOSed out of accessing the resources on the protected server?
In the scenario Adam describes, they can't help but paint with a broad brush (i.e. block the source IP) unless they are dropping individual TCP sessions. Following that path raises another unwieldy issue -- DOS-ing the firewall that's receiving the SAM "drop & inhibit" commands from the ActiveScout. If an attacker were to somehow learn that the target host/network was protected by an ActiveScout/FW-1 firewall combo he could conceivably send enough "marked" traffic at the target to seriously degrade the firewall's performance. Regards, Matt Matt McGuirl Lucid Security Corporation Email: mmcguirl () lucidsecurity com
Attachment:
Matt McGuirl.vcf
Description: Matt McGuirl.vcf
Current thread:
- ForeScout ActiveScout (was: Re: Intrusion Prevention) Oded Comay (Dec 15)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- <Possible follow-ups>
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Adam Powers (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dudley, Brian (ISS Chicago) (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 17)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dug Song (Dec 17)