Re: IPS Vendor - Customer Experiences

[Stefano Zanero <zanero () elet polimi it>]

gmariuz () msn com wrote:
> Signatures...Are you kidding?  You are looking for a signature based IPS?

Which would be the vast majority of IPSs around, but...

> save yourself a huge hassle and cost....www.forescout.com

Let me see... quoting from the website:

> ForeScout's solution has proven its accuracy by detecting in real-time
every self-propagating threat to date and has gained the trust of 100% >
of our customers who use the appliances in automatic blocking mode.

Wow, 100% detection on a non-declared base of worms to date ! That's
impressive.

And 100% of the customers (which may be 1, 2 or 100) use the appliance
in automatic blocking mode... impressive indeed. So how is this wonder
performed ? Let's see....

> any unsanctioned reconnaissance presents a high potential for
malicious activity and can be used to identify attackers with 100% accuracy.

Besides the fact that this is blatantly false (since you can generate a
fictitious scanning activity on behalf of someone else, and since you
can attack without doing reconnaissance directly, see "google hacking"
for a clue on how real world things work), you still have a trouble.

You have to detect "reconnaissance".

And to detect reconnaissance, either you use signatures or anomaly
detection methods.

So, either way, what the page claims is not true.

> ForeScout's patented Active Response™ methodology

Which, like most patented methodologies, has been known to everyone
since honeypots, network telescopes, arpd and the concept of black holes
were developed years ago...

Anyway, since it's patented, there is no need to be mysterious, isn't it
? So, I'd just love to be pointed out to scientific or technical
whitepapers which describe the marvellous, complex algorithm that you
have invented and that I cannot - currently - imagine to go beyond what
you obtain by combining arpd, honeyd and a couple of scripts...

> Appliances provide marked information to the inquiring source.

Which would be, for instance, faking the presence of a service ?

Well, I never, ever met one of your customers, let alone of any
prospects, but if asked for a preliminary opinion on this Patented
Trademarked Technology I think I would borrow your own words: "Are you
kidding ?!"

Sincerely,
Stefano Zanero

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------