IDS mailing list archives
Re: ForeScout ActiveScout
From: dywzh dywzh <zhihen.wang () gmail com>
Date: Fri, 7 Jan 2005 23:28:30 -0500
One of the biggest challenge in intrusion detection is to differentiate bad from good with precision and ahead of the attack. The server lock down, or patch to the latest, will only help you last till the next brand new unknown attacks to surface. And if you lucky (hence your security vendor notifies you before the actual propagation hits you), then you might have a chance to be immunized, but what if you run out of luck, what if your security vendor didn't even notice such attack yet ... So to win this battle against the attackers, we have to take a proactive and better yet pre-emptive approach, sitting there trying to lock down the server following some other guy's hardening steps, or begging M$ for a patch release, are just not good enough to protect yourself. All right, back to this ForeScout approach, they throw some fake but enticing bone (information) back to the attackers or would-be attackers to try to find out what's the intent behind such perimeter scanning activities, if that intent proven being bad, then take appropriate action, such as notifying firewall. I personally think this is a pretty neat approach, sort of being proactive. But one weak point I see in their approach (or their product offering) is that they narrowed their intrusion detection scope to only on those traffics going to the fake place. Recently, I have been exposed to a start-up security company, CyberShield Networks. They developed a similar approach to enable users being proactive, but the complete package they offer goes way beyond just reporting attacks from the fake place, they cover intrusion detection over the entire IP space assigned under their protection. Also they implemented a RADAR screen and transformed attacks into blips on the RADAR, that makes our security guys life a lot easier as far as sorting out the priorities among the attacks reported. Pretty cool stuff. Anyway, I hope this helps you a little bit. ZhiHen CISSP Senior Security Analyst Shanghai Rasing Consulting, China, Inc. ---------------------- Hello, Just a quick question on ForeScout ActiveScout as to whether anyone out there has used/eval'd it. I'm working with a client that is using an old version (2.7.x, I believe), is considering an upgrade, and I'm not sure it's worth the time and effort. They claim 100% accuracy which we all know is silly. Their whole methodology is based on an attacker using recon in advance of an attack and that the recon activity is detectable enough to start interfering with it.
From what I can gather from ForeScout's literature and
the management console of the app itself, when it's able to run at all (Java-based, slow as dirt), this product sits on the outside of the perimeter and looks for suspicious traffic via a span session. When it detects scans or similar recon activity, it can both send back spurious information to the source IP and update a firewall to block it. It seems to track attacking IP's based on the spurious info it already fed them. Also, this version doesn't seem to track SMTP and DNS, two of the most oft-attacked protocols out there. Having run one or two firewalls and NIDS setups myself, I'm not clear on the benefit of this beast compared to either inline IPS or IDS plus firewall blocking (or a firewall and patched servers, while I'm going that way). Stupid question - if my perimeter devices, including DMZ servers, are patched, why the heck would I want to send back _any_ data to an attacker? I guess if your servers weren't patchable for some reason, maybe you'd want to fake that they really are. Um, okay. Probably better ways to handle that. I would think that if my perimeter is properly locked-down, I'm quite happy for an attacker to scan it and figure that out for themselves - assuming they get much of a scan past IPS/IDS/firewall. What am I missing? Thanks for the feedback. Brent Stackhouse, GSEC/GCIH, etc. __________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- ForeScout ActiveScout Brent Stackhouse (Jan 07)
- Re: ForeScout ActiveScout Gadi Evron (Jan 08)
- Re: ForeScout ActiveScout Brent Stackhouse (Jan 08)
- Re: ForeScout ActiveScout Gadi Evron (Jan 10)
- Re: ForeScout ActiveScout Brent Stackhouse (Jan 08)
- <Possible follow-ups>
- RE: ForeScout ActiveScout Carey, Steve T GARRISON (Jan 08)
- Re: ForeScout ActiveScout dywzh dywzh (Jan 10)
- Re: ForeScout ActiveScout Brent Stackhouse (Jan 10)
- Re: ForeScout ActiveScout Gadi Evron (Jan 12)
- Re: ForeScout ActiveScout Erik F (Jan 12)
- Re: ForeScout ActiveScout Gadi Evron (Jan 08)