Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ForeScout ActiveScout

from [Gadi Evron] Network Security [Permanent Link]
Subject: Re: ForeScout ActiveScout
Date: Sat, 08 Jan 2005 05:47:15 +0200
Brent Stackhouse wrote: 
Hello,


Hi.

I tested ActiveScout, so I'd like to respond. Before hand, allow me to say that although I've used different IDS/IPS products extensively, and tested many of them (companies always want to test them on our network, being, according to comparisons I made so please don't take my word for it, one of the most attacked networks in the world).

I am by no way close to being an IDS/IPS expert nor was I ever involved in development of such, save for writing signatures and a good understanding of theory.

Just a quick question on ForeScout ActiveScout as to
whether anyone out there has used/eval'd it.  I'm
working with a client that is using an old version
(2.7.x, I believe), is considering an upgrade, and I'm
not sure it's worth the time and effort.

The upgrade is extremely easy and quick (or should be, and was for me). Cost vs. benefit. I don't see why not. Go for it, there are improvements.

They claim 100% accuracy which we all know is silly.

Usually, I'd be the first to agree. Still, in this case, they claim right. How come?

Basically, as far as I understand it, they say: "we wait for you to check us out, and then we watch you. If you come back and try something evil, we will know it is you and that you are trying it".

Now, I still don't like "100%" claims regardless, but under this definition, they are right. They don't catch 100% of all attacks, but it is "virtually impossible" for them to make a false positive if all things are even (no bug or weird network issues), and things are usually even.

In my personal experience, false positives COULD rarely occur with weird network issues (and that's not their fault), but in my experience ActiveScout will then MONITOR an IP it shouldn't, but it wouldn't block it. What's the harm in that?

Their whole methodology is based on an attacker using
recon in advance of an attack and that the recon
activity is detectable enough to start interfering
with it.


Yep.

From what I can gather from ForeScout's literature and 
the management console of the app itself, when it's
able to run at all (Java-based, slow as dirt), this


It works fine for me. Maybe your machine is slow as dirt.

I do agree it has a rather old look. I personally really dislike it, but it's just a GUI.

product sits on the outside of the perimeter and looks
for suspicious traffic via a span session.  When it
detects scans or similar recon activity, it can both
send back spurious information to the source IP and
update a firewall to block it.  It seems to track
attacking IP's based on the spurious info it already
fed them.

It's really an incredible concept (if we leave the product aside for a second). They feed the probing (not attacking) user false data. If that IP returns, it is a bad guy. If another one returns with the false data - it is the same guy, and he is obviously evil. Thresholds can be set, nobody said that if you went to port 445 instead of 443 twice, you'd trigger it. Very configurable. Plus, if I remember correctly, there are thresholds for preventing it from getting DDoS'd as well.

As to blocking - you don't have to let it use the FW. It can send resets.

They have a pretty neat (yet old looking) picture of the world, too. It really helps out with the budget people.

Also, this version doesn't seem to track SMTP and DNS,
two of the most oft-attacked protocols out there.

Why should it? It is not a regular IDS or IPS and in no way comes to replace them. If it sees a bad user doing something that would demand him being "marked" - which can be any number of things (but not that many really - there aren't THAT *many* ways to gather recon), and he tries something against SMTP...
The user may also attempt something horizontally (against one machine on many ports) or vertically (against many machines on one port), etc.

Having run one or two firewalls and NIDS setups
myself, I'm not clear on the benefit of this beast
compared to either inline IPS or IDS plus firewall
blocking (or a firewall and patched servers, while I'm
going that way).

Simple benefit is, you can put it on your network, not monitor it at all, and it would do it's job.

More complicated benefit is, it will catch attacks, new worms, etc. regardless of there being a signature for it, and without (at least shouldn't be) any false positives (under their definition).

Stupid question - if my perimeter devices, including
DMZ servers, are patched, why the heck would I want to

So? What if it is a 0day? What if there is no patch yet? What if it is a port scan? What if it is any number of other things? (some of which you may not personally care about)

send back _any_ data to an attacker? I guess if your
servers weren't patchable for some reason, maybe you'd
want to fake that they really are. Um, okay. Probably better ways to handle that. I would think

It's an issue of if you want to run an honey pot and look all happy and shiny to the attackers, or not. It isn't necessarily about their product.

that if my perimeter is properly locked-down, I'm
quite happy for an attacker to scan it and figure that
out for themselves - assuming they get much of a scan
past IPS/IDS/firewall.


It isn't a regular IPS.

What am I missing? Thanks for the feedback.

No technology is perfect, and they seem to learn and evolve with time as expected. It isn't for everybody, and trusting it is not a simple issue for a paranoid mind, but hey - that's the same with any IPS or anything that blocks automatically.

If you already have it - upgrade, why not? If you don't I'd strongly recommend it, but not if what you want is an IPS with shiny and cool signatures.

Now, I don't speak for ForeScout, so I may have things wrong. All I am is a guy who tested the product.

Try seeing what the point of this product it. Before I got it, I really didn't like it and kept expecting something different from it.. heck, I even blamed it for some DDoS, but it isn't a DDoS mitigation tool, is it now?

Use this chance to see how it works, and reach your own conclusions. :)

        Gadi Evron.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ForeScout ActiveScout, Carey, Steve T GARRISON
Next by Date:  Re: Intrushield vs. ISS once more..., Mike Frantzen
Previous by Thread:  ForeScout ActiveScout, Brent Stackhouse
Next by Thread:  Re: ForeScout ActiveScout, Brent Stackhouse
Indexes:  [Date] [Thread] [Top] [All Lists]