IDS mailing list archives

Re: ForeScout ActiveScout (was: Re: Intrusion Prevention)

From: Karl Lynn <klynn () stackheap org>
Date: Mon, 16 Dec 2002 11:53:00 +0000 (GMT)

My comments below-

On Sun, 15 Dec 2002, Oded Comay wrote:

Greetings,

We have been following this thread with great interest. Sorry for jumping
in late; appreciating the technical quality of this forum, we wanted to
avoid anything that could be viewed as marketing pitch. I will do my best to
avoid it (and sweeping generalizations) in this posting as well. That being
said, some clarifications are in order.

To start with, ActiveScout is not an IDS. Judging it by NIDS standards and
criteria will do injustice to both technologies.


[snip web site marketing material]
ForeScout delivers automated intrusion prevention solutions that precisely
identify and selectively block all types of attacks before they reach the
network.
[/snip web site marketing material]

So, its an IPS?


Karl Lynn asks whether there will be a problem if he "scans" from one
network and attacks from another. As mentinoed above, this is actually a
great feature of ActiveScout. Even if the "attacking" network address is
used sparingly, just for launching the actual attack (after recon done
using a different network block), ActiveScout will detect and block it
from accessing to the attacked network.


So you are telling me if I use a shell account in California (making it
obvious here) and a shell account in lets say Japan you're telling me that
if I port scan a machine from my California shell and only port scan once
from my California shell and I also validly use a browser to check your
homepage via HTTP seeing that its an IIS machine.. If I then hop on my
shell account on the machine in Japan and run something like IIS ASP
overflow or an overflow on printer ISAPI filter that ActiveScout will
somehow link these two events and block the account in Japan?  Unless you
are blocking me based on some sort of anomaly detection that has nothing
to do with the probe (recon) then I think you might want to enlighten us
on how exactly ActiveScout prevents attacks coming from two seperate
networks where a "marker" would never work.

And we haven't said anything about the cool factor...


I'd rather have something that works than something thats cool ;)

Thanks, and seasons greetings to all!


You also...

--

Oded Comay, CTO
ForeScout Technologies

-------------------------------------------------------

-------------------------------------------------------

Current thread:

ForeScout ActiveScout (was: Re: Intrusion Prevention) Oded Comay (Dec 15)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- <Possible follow-ups>
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Adam Powers (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dudley, Brian (ISS Chicago) (Dec 16)
  - RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 17)
  - RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 17)
  - Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dug Song (Dec 17)