IDS mailing list archives
RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
From: Omar Herrera <oherrera () prodigy net mx>
Date: Tue, 17 Dec 2002 13:31:20 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Lunes, 16 de Diciembre de 2002 08:29 p.m. To: Dudley, Brian (ISS Chicago) Cc: focus-ids () securityfocus com Subject: RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) The "we'll present fake hosts and block anyone accessing those" explanation is sooo much more down to earth than the advertised version. Sounds like the 'markers' are just fake services represented through fake banners on ports of unused IP's. I'm not sure what else could be used to "bait'n'track" an attacker, perhaps a fake FTP site with a fake user account list? If the markers extend beyond just fake banners, then I remain interested. Otherwise I just continue to block sources that access unused IP addresses since it seems to have the same result. This is all provided that Brian's explanation of the product is accurate. If that's the case, then this is great example on how carefully crafted advertising language can make a product appear to be something larger than it is. Should Brian's explanation not be accurate, I encourage Forescout to provide further details. Otherwise I'll file it under 'Deceptive Marketing' in the Doghouse....
Indeed, it seems that a honeypot could do all that this tool supposedly does and much better. There you will have evidence of an attack and more assurance on the source of the attack as well. Still I also wait for a response on ForeScout, there might be something interesting on the product hopefully because so far I don't see an advantage over a NIDS+Honeypot solution; it does not seem to have an advantage on one or the other alone neither. Omar Herrera -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPf97h6xc3R1o/elHEQKLhgCgwJcjdTXET4ttv1glhYii3MuIoaQAoO2+ Bjq/MZrjvAo1Se27U28Wr9Y8 =iUzK -----END PGP SIGNATURE-----
Current thread:
- ForeScout ActiveScout (was: Re: Intrusion Prevention) Oded Comay (Dec 15)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- <Possible follow-ups>
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Adam Powers (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dudley, Brian (ISS Chicago) (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 17)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dug Song (Dec 17)