Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

ForeScout ActiveScout

from [Brent Stackhouse] Network Security [Permanent Link]
Subject: ForeScout ActiveScout
Date: Thu, 6 Jan 2005 19:14:24 -0800 (PST) 
Hello,

Just a quick question on ForeScout ActiveScout as to
whether anyone out there has used/eval'd it.  I'm
working with a client that is using an old version
(2.7.x, I believe), is considering an upgrade, and I'm
not sure it's worth the time and effort.

They claim 100% accuracy which we all know is silly. 
Their whole methodology is based on an attacker using
recon in advance of an attack and that the recon
activity is detectable enough to start interfering
with it.


From what I can gather from ForeScout's literature and

the management console of the app itself, when it's
able to run at all (Java-based, slow as dirt), this
product sits on the outside of the perimeter and looks
for suspicious traffic via a span session.  When it
detects scans or similar recon activity, it can both
send back spurious information to the source IP and
update a firewall to block it.  It seems to track
attacking IP's based on the spurious info it already
fed them.

Also, this version doesn't seem to track SMTP and DNS,
two of the most oft-attacked protocols out there.

Having run one or two firewalls and NIDS setups
myself, I'm not clear on the benefit of this beast
compared to either inline IPS or IDS plus firewall
blocking (or a firewall and patched servers, while I'm
going that way).

Stupid question - if my perimeter devices, including
DMZ servers, are patched, why the heck would I want to
send back _any_ data to an attacker?  I guess if your
servers weren't patchable for some reason, maybe you'd
want to fake that they really are.  Um, okay. 
Probably better ways to handle that.  I would think
that if my perimeter is properly locked-down, I'm
quite happy for an attacker to scan it and figure that
out for themselves - assuming they get much of a scan
past IPS/IDS/firewall.

What am I missing?  Thanks for the feedback.

Brent Stackhouse, GSEC/GCIH, etc.


                
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com 
 


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: CISCOs new IPS, Billy Dodson
Next by Date:  Re: CISCOs new IPS, ADT
Previous by Thread:  User defined signatures, Gary Flynn
Next by Thread:  Re: ForeScout ActiveScout, Gadi Evron
Indexes:  [Date] [Thread] [Top] [All Lists]