RE: ForeScout ActiveScout

["Carey, Steve T GARRISON" <steven-carey () us army mil>]

We tested it for a while, only had partial use of it, because it is
designed to connect to the manufacture (in Israel) to use the tracking
and map feature, and the subnet was one we had blocked.  We decided it
wasn't something we could use, even though it does have some
possibilities.

Steve Carey 

-----Original Message-----
From: Brent Stackhouse [mailto:brentstackhouse () yahoo com] 
Sent: Thursday, January 06, 2005 9:14 PM
To: focus-ids () securityfocus com
Subject: ForeScout ActiveScout

Hello,

Just a quick question on ForeScout ActiveScout as to whether anyone out
there has used/eval'd it.  I'm working with a client that is using an
old version (2.7.x, I believe), is considering an upgrade, and I'm not
sure it's worth the time and effort.

They claim 100% accuracy which we all know is silly. 
Their whole methodology is based on an attacker using recon in advance
of an attack and that the recon activity is detectable enough to start
interfering with it.

> From what I can gather from ForeScout's literature and the management
console of the app itself, when it's able to run at all (Java-based,
slow as dirt), this product sits on the outside of the perimeter and
looks for suspicious traffic via a span session.  When it detects scans
or similar recon activity, it can both send back spurious information to
the source IP and update a firewall to block it.  It seems to track
attacking IP's based on the spurious info it already fed them.

Also, this version doesn't seem to track SMTP and DNS, two of the most
oft-attacked protocols out there.

Having run one or two firewalls and NIDS setups myself, I'm not clear on
the benefit of this beast compared to either inline IPS or IDS plus
firewall blocking (or a firewall and patched servers, while I'm going
that way).

Stupid question - if my perimeter devices, including DMZ servers, are
patched, why the heck would I want to send back _any_ data to an
attacker?  I guess if your servers weren't patchable for some reason,
maybe you'd want to fake that they really are.  Um, okay. 
Probably better ways to handle that.  I would think that if my perimeter
is properly locked-down, I'm quite happy for an attacker to scan it and
figure that out for themselves - assuming they get much of a scan past
IPS/IDS/firewall.

What am I missing?  Thanks for the feedback.

Brent Stackhouse, GSEC/GCIH, etc.


                
__________________________________
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com 
 


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------