Re: ForeScout ActiveScout

[Brent Stackhouse <brentstackhouse () yahoo com>]

Gadi,

Thanks very much for your detailed response.  I
understand their definition of 100% accuracy but it
still begs the question as to how they make the
initial determination of what to track or not.  Surely
they don't send their crafted data on every single
connection to see if it comes back.  Their web site
states that ActiveScout is looking for recon activity
so some threshold or "trigger" must exist for them to
differentiate recon from legitimate traffic.

Their site also states that they're not signature
based.  Again, if they have some sort of logic based
on thresholds (x amount of TCP packets per minute from
the same source IP, etc.), it sounds like a signature
to me.  At least I know that Cisco, ISS, etc. all have
threshold-based signatures in their IDS products.

All that aside, I saw the results of a SuperScan port
scan that included a bunch of junk caused by
ActiveScout.  I would think that feeding an attacker a
bunch of info that leads them to believe that you're
really vulnerable is not a great idea (like open
SunRPC ports, NetBIOS, etc.).  I want less attention,
not more.  I suspect that anything out-of-the-ordinary
would perhaps cause more attention.  This is sort of a
honeypot idea gone berserk.  Instead of one host
appearing vulnerable, all of your hosts appear
vulnerable.

Anyway, it doesn't sound like it buys much, if
anything, over "traditional" IDS/IPS.

Thanks, 

Brent



--- Gadi Evron <ge () linuxbox org> wrote:

> Brent Stackhouse wrote:
> > Hello,
>
> Hi.
>
> I tested ActiveScout, so I'd like to respond. Before
> hand, allow me to 
> say that although I've used different IDS/IPS
> products extensively, and 
> tested many of them (companies always want to test
> them on our network, 
> being, according to comparisons I made so please
> don't take my word for 
> it, one of the most attacked networks in the world).
>
> I am by no way close to being an IDS/IPS expert nor
> was I ever involved 
> in development of such, save for writing signatures
> and a good 
> understanding of theory.
>
> > Just a quick question on ForeScout ActiveScout as
> to
> > whether anyone out there has used/eval'd it.  I'm
> > working with a client that is using an old version
> > (2.7.x, I believe), is considering an upgrade, and
> I'm
> > not sure it's worth the time and effort.
>
> The upgrade is extremely easy and quick (or should
> be, and was for me). 
> Cost vs. benefit. I don't see why not. Go for it,
> there are improvements.
>
> > They claim 100% accuracy which we all know is
> silly. 
>
> Usually, I'd be the first to agree. Still, in this
> case, they claim 
> right. How come?
>
> Basically, as far as I understand it, they say: "we
> wait for you to 
> check us out, and then we watch you. If you come
> back and try something 
> evil, we will know it is you and that you are trying
> it".
>
> Now, I still don't like "100%" claims regardless,
> but under this 
> definition, they are right. They don't catch 100% of
> all attacks, but it 
> is "virtually impossible" for them to make a false
> positive if all 
> things are even (no bug or weird network issues),
> and things are usually 
> even.
>
> In my personal experience, false positives COULD
> rarely occur with weird 
> network issues (and that's not their fault), but in
> my experience 
> ActiveScout will then MONITOR an IP it shouldn't,
> but it wouldn't block 
> it. What's the harm in that?
>
> > Their whole methodology is based on an attacker
> using
> > recon in advance of an attack and that the recon
> > activity is detectable enough to start interfering
> > with it.
>
> Yep.
>
> > > From what I can gather from ForeScout's literature
> and
> > the management console of the app itself, when
> it's
> > able to run at all (Java-based, slow as dirt),
> this
>
> It works fine for me. Maybe your machine is slow as
> dirt.
>
> I do agree it has a rather old look. I personally
> really dislike it, but 
> it's just a GUI.
>
> > product sits on the outside of the perimeter and
> looks
> > for suspicious traffic via a span session.  When
> it
> > detects scans or similar recon activity, it can
> both
> > send back spurious information to the source IP
> and
> > update a firewall to block it.  It seems to track
> > attacking IP's based on the spurious info it
> already
> > fed them.
>
> It's really an incredible concept (if we leave the
> product aside for a 
> second). They feed the probing (not attacking) user
> false data. If that 
> IP returns, it is a bad guy. If another one returns
> with the false data 
> - it is the same guy, and he is obviously evil.
> Thresholds can be set, 
> nobody said that if you went to port 445 instead of
> 443 twice, you'd 
> trigger it. Very configurable. Plus, if I remember
> correctly, there are 
> thresholds for preventing it from getting DDoS'd as
> well.
>
> As to blocking - you don't have to let it use the
> FW. It can send resets.
>
> They have a pretty neat (yet old looking) picture of
> the world, too. It 
> really helps out with the budget people.
>
> > Also, this version doesn't seem to track SMTP and
> DNS,
> > two of the most oft-attacked protocols out there.
>
> Why should it? It is not a regular IDS or IPS and in
> no way comes to 
> replace them. If it sees a bad user doing something
> that would demand 
> him being "marked" - which can be any number of
> things (but not that 
> many really - there aren't THAT *many* ways to
> gather recon), and he 
> tries something against SMTP...
> The user may also attempt something horizontally
> (against one machine on 
> many ports) or vertically (against many machines on
> one port), etc.
>
> > Having run one or two firewalls and NIDS setups
> > myself, I'm not clear on the benefit of this beast
> > compared to either inline IPS or IDS plus firewall
> > blocking (or a firewall and patched servers, while
> I'm
> > going that way).
>
> Simple benefit is, you can put it on your network,
> not monitor it at 
> all, and it would do it's job.
>
> More complicated benefit is, it will catch attacks,
> new worms, etc. 
> regardless of there being a signature for it, and
> without (at least 
> shouldn't be) any false positives (under their
> definition).
>
> > Stupid question - if my perimeter devices,
> including
> > DMZ servers, are patched, why the heck would I
> want to
>
> So? What if it is a 0day? What if there is no patch
> yet? What if it is a 
> port scan? What if it is any number of other things?
> (some of which you 
> may not personally care about)
>
> > send back _any_ data to an attacker?  I guess if
> your
> > servers weren't patchable for some reason, maybe
> you'd
> > want to fake that they really are.  Um, okay. 
> > Probably better ways to handle that.  I would
> think
>
> It's an issue of if you want to run an honey pot and
> look all happy and 
> shiny to the attackers, or not. It isn't necessarily
> about their product.
>
> > that if my perimeter is properly locked-down, I'm
> > quite happy for an attacker to scan it and figure
> that
> > out for themselves - assuming they get much of a
> scan
> > past IPS/IDS/firewall.
>
> It isn't a regular IPS.
>
> > What am I missing?  Thanks for the feedback.
>
> No technology is perfect, and they seem to learn and
> evolve with time as 
> expected. It isn't for everybody, and trusting it is
> not a simple issue 
> for a paranoid mind, but hey - that's the same with
> any IPS or anything 
> that blocks automatically.
>
> If you already have it - upgrade, why not? If you
> don't I'd strongly 
> recommend it, but not if what you want is an IPS
> with shiny and cool 
> signatures.
>
> Now, I don't speak for ForeScout, so I may have
> things wrong. All I am 
> is a guy who tested the product.
>
> Try seeing what the point of this product it. Before
> I got it, I really 
> didn't like it and kept expecting something
> different from it.. heck, I 
> even blamed it for some DDoS, but it isn't a DDoS
> mitigation tool, is it 
> now?
>
> Use this chance to see how it works, and reach your
> own conclusions. :)
>
>       Gadi Evron.



                
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com 
 


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------