RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

["Dudley, Brian (ISS Chicago)" <BDudley () iss net>]

A scan is launched at a web server farm by a hacker or a worm, ActiveScout replies with bogus information about web 
servers that do not exist.   Then the hacker or automated worm takes this information and tries to launch an attack at 
these bogus hosts, and immediately ActiveScout blocks the attackers IP. It knows that nobody should send a request to 
an IP that does not exist. So it doesn't matter if you are from the original scanning IP address or a separate address. 
 The only thing that matters is you are trying to attack a host that does not exist.  Now if you get lucky and launch 
an attack from a separate IP at a valid server IP then your traditional IDS should catch it, however automated attacks 
take scan info and launch at all IP's and therefore worms like slapper or Code Red should be automatically blocked.  
This product is a supplement to regular IDS/IPS which will detect and block single host attacks with no pre-attack 
probe.  The beauty is that it blocks un-known automated attacks like Code Red, Nimda, Slapper, etc...  Remember Defense 
in Depth... There is no silver bullet... 

Having said that, a problem I see is if the attacker knows you are using this technology and spoofs the source address 
of one of your business partners, DNS server, etc. in a packet destined to a bogus ActiveScout IP, which could 
potentially DOS your network.  This may be mitigated if ActiveScout ensures that a full TCP session is established 
before blocking the offending IP.

-Brian

-----Original Message-----
From: Karl Lynn [mailto:klynn () stackheap org]
Sent: Monday, December 16, 2002 6:53 AM
To: Oded Comay
Cc: focus-ids () securityfocus com
Subject: Re: ForeScout ActiveScout (was: Re: Intrusion Prevention)


My comments below-

On Sun, 15 Dec 2002, Oded Comay wrote:

> Greetings,
>
> We have been following this thread with great interest. Sorry for jumping
> in late; appreciating the technical quality of this forum, we wanted to
> avoid anything that could be viewed as marketing pitch. I will do my best to
> avoid it (and sweeping generalizations) in this posting as well. That being
> said, some clarifications are in order.
>
> To start with, ActiveScout is not an IDS. Judging it by NIDS standards and
> criteria will do injustice to both technologies.

[snip web site marketing material]
ForeScout delivers automated intrusion prevention solutions that precisely
identify and selectively block all types of attacks before they reach the
network.
[/snip web site marketing material]

So, its an IPS?

> Karl Lynn asks whether there will be a problem if he "scans" from one
> network and attacks from another. As mentinoed above, this is actually a
> great feature of ActiveScout. Even if the "attacking" network address is
> used sparingly, just for launching the actual attack (after recon done
> using a different network block), ActiveScout will detect and block it
> from accessing to the attacked network.

So you are telling me if I use a shell account in California (making it
obvious here) and a shell account in lets say Japan you're telling me that
if I port scan a machine from my California shell and only port scan once
from my California shell and I also validly use a browser to check your
homepage via HTTP seeing that its an IIS machine.. If I then hop on my
shell account on the machine in Japan and run something like IIS ASP
overflow or an overflow on printer ISAPI filter that ActiveScout will
somehow link these two events and block the account in Japan?  Unless you
are blocking me based on some sort of anomaly detection that has nothing
to do with the probe (recon) then I think you might want to enlighten us
on how exactly ActiveScout prevents attacks coming from two seperate
networks where a "marker" would never work.

> And we haven't said anything about the cool factor...

I'd rather have something that works than something thats cool ;)

> Thanks, and seasons greetings to all!

You also...

> --
>
> Oded Comay, CTO
> ForeScout Technologies
>
> -------------------------------------------------------
>
> -------------------------------------------------------