IDS mailing list archives
Re: ForeScout ActiveScout
From: Erik F <efortin () solstice vtc vsc edu>
Date: 10 Jan 2005 18:27:40 -0000
In-Reply-To: <20050107031424.49127.qmail () web41103 mail yahoo com> <CAUTION: HUMOR AND SARCASM> First of all, let's review the topic of patching. A patch is an update to software that's broken in a variety of ways including, but not limited to, bug fixes and security issues. I don't even think that certain vendors take their patching seriously - for example: a "critical security update" for an office font was released because it has some 'offensive' characters in it ... critical for who?! And then they make it so you can't get any new updates until you apply the new font... so, if you don't apply this "critical", but unnecessary update, you might not even know that you are missing patches! Now let's assume you *are* patched with *all* the vendor's patches. Every one of them. So having all your exposed services being patched (and services configured properly), in theory, would make your network 100% secure, in combination with your firewalls being correctly configured of course. This leaves your IDS sitting there gathering data on would-be exploits, but nothing will ever come of them because you *are* patched. Leaving you, supposedly, with nothing to worry about. Nice feeling isn't it? Quite peaceful. Let's be realistic here. Systems are not just vulnerable between the time the patch is released by a vendor and the time you apply it. I've heard many sysadmins, approx. once a month, say things like "Another vulnerability came out today. *Sigh* I guess I'll be patching our servers again tonight". It's very important to make them realize that the *vulnerability* has been out for a long time and it was only recently patched by the vendor. And we make the wild assumption that the patch works and that it doesn't introduce any new vulnerabilities. The vendor released the problem code in the first place - what makes anyone think that they are incapable of doing it again?! And if you are 100% patched - you should NEVER have to patch again, right? 100% means 100%, right? Wrong! You've only applied 100% of the available patches. So why another release of patches? It comes from the vulnerabilities that are STILL in your 100% patched systems. Just accept it, you'll never be 100% patched. And you should be happy about this - you'll always have a job because the patching and upgrades will never end. Well, I'm assuming that a system you maintain doesn't get compromised on a zero-day and they fire your ass. ;-) So, our job as security people is risk mitigation, not complete protection. Hey, people have accepted the concept of something not working 100% in other products - why do they have such a hard time accepting this same concept in the computer security field? Condoms = risk mitigation, not elimination. You have your firewalls to police traffic into, and hopefully out of, your network. Your systems are patched for most commonly known vulnerabilities. Your IDS is probably only looking for known signatures. Your virus scanner most likely only looking for know signatures as well. If you are lucky, you have some (N)IPS or HIPS blocking based on inappropriate behavior - and hopefully it catches whatever new exploit is out there. Activescout isn't intended to replace your firewall, or your IDS. It's intended to complement these systems you already have in place. It REALLY IS damn near 100% accurate as far as false positives are concerned. There is the issue of missed attacks, but that's what you have the other systems for, isn't it? Information is power - let's say I scan your network for IIS servers and save their version numbers. I find an instance of IIS running on an IP that doesn't have any DNS associated with it. Maybe this is hidden to most of the world, but it's not hidden from a quick port scan. So, move the port to something that not the default - a scan will find that too with a little bit more work. Now suppose I know what version of IIS you are running on a system and it's completely patched, and I really want to hack into your network ... maybe I can't easily do it right now... so, I wait. Think about this: who do you think is faster - a hacker waiting to exploit a vulnerability on a known vulnerable system, or a vendor producing a patch for a vulnerability, releasing it, you downloading it, (maybe) testing it and then applying it and rebooting the server? I'll just wait - we'll see who wins this little race. Activescout gives a scanner so much misinformation that the attackers have a seriously hard time figuring out what is real and what is virtual. This essentially takes away a lot of their knowledge by making them work harder for it. This by itself is only an "ok" tactic, but now suppose that you also block the IP addresses of these attackers. Wouldn't you think this would mitigate risk? I know what you are thinking - maybe the attacker spoofs the source IP. Well, Activescout only blocks addresses that can be confirmed as attacking using techniques such as marking the data in a application layer and watching for these marks to return, in addition to watching for complete tcp handshaking. So, where your IDS may have tons of false positives, activescout is nearly 100% accurate because it's not looking for signatures that occur frequently in real legitimate traffic. And it really does come very close to 100% accuracy in identifying attackers. I've had one false block in two plus years of running activescout, and it was from a user going to http instead of httpS. I've since excluded that http port. I don't know what the false positive rate is for *your* IDS - ignoring the fact it probably doesn't accurately identify the attacker's IP - but you'd have to be insane to implement it as part of a firewall blocking system that blocks all traffic from the suspected IP. Many IDS's will alert on a single packet regardless of any connection state information. Activescout takes very little effort to maintain, and it sets up in about 20 minutes. Upgrades are just about idiot proof and take very little time and interaction from the user. I don't know what you're running your java on, but maybe you should think about an upgrade. I have a console (not my primary console) on a P300 with 128MBs that works just fine. You can probably get one of those for less than $200. Also, as a side effect, activescout actually reduces the number of IDS alerts you receive. Mine went down by a factor of 100 after installing activescout. Maybe I get paid more, but activescout has easily paid for itself just in the time I save managing my other security products. Besides, it also makes pretty maps and graphs to show management which really helps them to understand and be able to quantify this invisible threat making it easier to get cash for security products in the future. This saves me time again, but this time on the begging end of the scale. If you can save time, money, and mitigate more risk by spending 20 minutes to implement activescout, why not use it? Of course, maybe there is a little masochist in everybody. ;-) </CAUTION: HUMOR AND SARCASM> -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- ForeScout ActiveScout Brent Stackhouse (Jan 07)
- Re: ForeScout ActiveScout Gadi Evron (Jan 08)
- Re: ForeScout ActiveScout Brent Stackhouse (Jan 08)
- Re: ForeScout ActiveScout Gadi Evron (Jan 10)
- Re: ForeScout ActiveScout Brent Stackhouse (Jan 08)
- <Possible follow-ups>
- RE: ForeScout ActiveScout Carey, Steve T GARRISON (Jan 08)
- Re: ForeScout ActiveScout dywzh dywzh (Jan 10)
- Re: ForeScout ActiveScout Brent Stackhouse (Jan 10)
- Re: ForeScout ActiveScout Gadi Evron (Jan 12)
- Re: ForeScout ActiveScout Erik F (Jan 12)
- Re: ForeScout ActiveScout Gadi Evron (Jan 08)