IDS mailing list archives
RE: Intrusion Prevention
From: Chris Petersen <chris () idsroi com>
Date: Wed, 11 Dec 2002 14:57:14 -0500
Not understanding how "attack traffic fingerprinting" could work in the following 3 scenarios, I dug into what literature I could find on Forescout. Initial scenarios: 1 - Attack occurs in separate TCP session than initial reconnaissance 2 - IP used in attack is different than IP used to scan (e.g., FTP bounce scan, zombie idle scan, etc.) 3 - Scanning takes place over long period of time from many different systems Upon reading the lit, Forescout "marks" an attacker when it detects reconnaissance activity and responds with deception packets. The lit. is very grey about what the "mark" actually is. What I suppose the mark to be is the following: - if an IP probe - deceptive responses sent with known to be invalid, "marked" IP address - if a port probe against single IP - deceptive responses sent with known to be invalid, "marked" open ports. - I would imagine Forescout also sends fake responses indicating actual open ports are closed. Assuming this is the way it works, Forescout then waits for an attack against marked IP or port. Given Forescout is analyzing the destination IP or port, it doesn't matter where the attack originates - dismissing my 3 initial issues. However, it opens up many others. The literature is grey about whether or not the real responses are also sent. I believe the real response along with the deceptive response are sent back to the attacker. I say this because it appears Forescout's blocking mechanism is TCP Reset - more on this later. It does not appear to sit in-line where it could actually drop the response as would a firewall. If this is true, a race condition exists where the Deceptor needs to respond to the attacker before the probed system does - what happens when this fails? Also, if both real and deceptive responses are sent back to attacker, it would seem very possible to fingerprint Forescout by analyzing response traffic looking for overlapping packets. Back to TCP Resets. This appears to be the mechanism by which Forescout will block subsequent attacks assuming the attacker targets a "marked" IP or port. I draw this conclusion based on it being the only blocking mechanism described besides integration with Checkpoint firewall. 100% prevention assumes 100% TCP reset effectiveness. I have trouble with this. I also have difficulty with the following statement taken directly from their data sheet which also professes "Full" protection of known and unknown attacks. "As long as the attacker performed a scan beforehand - which they invariably do - ActiveScout will protect the network." So what happens if the attack is blind? Or when the scan is a single port probe against an authorized service such as SSH or HTTP. I don't see how any technology can separate an attacker typing www.yourdomain.com into a browser from a customer doing the same. As for 0% False Alarms, I think this is actually true because I don't think Forescout detects anything - I think it just waits for traffic destined for marked IP addresses or Ports and begins issuing TCP resets. There is nothing I could find on detection methods - no pattern matching, protocol analysis, etc. It seems entirely predicated on being able to identify and then mark reconnaissance activity and correlate that with follow-on attacks. This is likely very possible in wide, sweeping reconnassiance activities, but if the reconnassiance is distributed, slow, and targeted against likely authorized services, how is 100% accurate reconnassaince detection possible? My analysis is based solely on what I was able to grock from Forescout's web site and is attributed to me alone. I encourage someone to please spell it out for me or fill in the gaps if I'm off base. No doubt Forescout has it's merits and the cool factor is very high - however, not sure the marketing is as 100% as it's purported preventive capabilities. Chris Petersen Entrepreneur and consultant
-----Original Message----- From: Vern Paxson [mailto:vern () icir org] Sent: Tuesday, December 10, 2002 2:13 AM To: intrusi0n () cox net Cc: focus-ids () securityfocus com Subject: Re: Intrusion Prevention FYI, the way it works is by responding to scans with bogus replies that are unique to a particular scan. Then, when subsequent attack traffic includes the fingerprint left in the bogus reply, the IDS immediately knows that the traffic corresponds to an attacker (assuming it correctly identified the initial recon scan as reflecting an attacker); hence, "no false positives". Disclaimer: I'm on Forescout's technical advisory board, hence have a direct interest in the company. (Anti-disclaimer: I joined their board because I do think their technology is cool. :-) Vern
Current thread:
- Re: Intrusion Prevention, (continued)
- Re: Intrusion Prevention Paul Wayne Brager Jr (Dec 09)
- Re: Intrusion Prevention Raistlin (Dec 09)
- Re: Intrusion Prevention roy lo (Dec 10)
- Re: Intrusion Prevention Karl Lynn (Dec 11)
- RE: Intrusion Prevention Avi Chesla (Dec 09)
- Re: Intrusion Prevention Jill Tovey (Dec 09)
- Re: Intrusion Prevention Frank Knobbe (Dec 10)
- RE: Intrusion Prevention Adam Powers (Dec 10)
- RE: Intrusion Prevention Ralph Los (Dec 10)
- Re: Intrusion Prevention Vern Paxson (Dec 10)
- RE: Intrusion Prevention Chris Petersen (Dec 11)
- Intrusion Prevention Johnny Kho (Dec 23)
- RE: Intrusion Prevention Robert_Huber (Dec 11)
- RE: Intrusion Prevention Matthew L. McGuirl (Dec 11)
- RE: Intrusion Prevention Frank Knobbe (Dec 11)
- RE: Intrusion Prevention Carey, Steve T GARRISON (Dec 23)
- Re: Intrusion Prevention Dave Mitchell (Dec 23)
- Re: Intrusion Prevention Randy Taylor (Dec 24)
- Re: Intrusion Prevention Dave Mitchell (Dec 23)
- Re: Intrusion Prevention Rick Williams (Dec 27)
- OSEC [WAS: Re: Intrusion Prevention] Greg Shipley (Dec 29)
- NSS (was Re: Intrusion Prevention) Randy Taylor (Dec 30)