RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

["Matthew L. McGuirl" <mmcguirl () lucidsecurity com>]

> -----Original Message-----
> From: Adam Powers [mailto:apowers () lancope com] 
> Sent: Sunday, December 15, 2002 9:44 PM
> To: Frank Knobbe; focus-ids () securityfocus com
> Subject: RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

> I would also be curious to know how you deal with NATed addresses and
> proxies when you're relying on OPSEC or other firewall policy
> change-o-matic technologies?

> Example: If I'm a bad guy accessing a server protected by ActiveScout
> from behind Company A's corporate NATed address(es), how do you
prevent
> all the other users at Company A from being DOSed out of accessing the
> resources on the protected server?

In the scenario Adam describes, they can't help but paint with a broad
brush (i.e. block the source IP) unless they are dropping individual TCP
sessions. Following that path raises another unwieldy issue -- DOS-ing
the firewall that's receiving the SAM "drop & inhibit" commands from the
ActiveScout. If an attacker were to somehow learn that the target
host/network was protected by an ActiveScout/FW-1 firewall combo he
could conceivably send enough "marked" traffic at the target to
seriously degrade the firewall's performance.

Regards,
 
Matt

Matt McGuirl                                
Lucid Security Corporation            
Email: mmcguirl () lucidsecurity com

Attachment: Matt McGuirl.vcf
Description: Matt McGuirl.vcf