RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

From: Matthew L. McGuirl (mmcguirl@lucidsecurity.com)
Date: 12/16/02

  • Next message: Karl Lynn: "RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)"
    Date: Mon, 16 Dec 2002 14:13:41 -0500
    From: "Matthew L. McGuirl" <mmcguirl@lucidsecurity.com>
    To: "Adam Powers" <apowers@lancope.com>, "Frank Knobbe" <fknobbe@knobbeits.com>, <focus-ids@securityfocus.com>
    

    > -----Original Message-----
    > From: Adam Powers [mailto:apowers@lancope.com]
    > Sent: Sunday, December 15, 2002 9:44 PM
    > To: Frank Knobbe; focus-ids@securityfocus.com
    > Subject: RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

    > I would also be curious to know how you deal with NATed addresses and
    > proxies when you're relying on OPSEC or other firewall policy
    > change-o-matic technologies?

    > Example: If I'm a bad guy accessing a server protected by ActiveScout
    > from behind Company A's corporate NATed address(es), how do you
    prevent
    > all the other users at Company A from being DOSed out of accessing the
    > resources on the protected server?

    In the scenario Adam describes, they can't help but paint with a broad
    brush (i.e. block the source IP) unless they are dropping individual TCP
    sessions. Following that path raises another unwieldy issue -- DOS-ing
    the firewall that's receiving the SAM "drop & inhibit" commands from the
    ActiveScout. If an attacker were to somehow learn that the target
    host/network was protected by an ActiveScout/FW-1 firewall combo he
    could conceivably send enough "marked" traffic at the target to
    seriously degrade the firewall's performance.

    Regards,
     
    Matt

    Matt McGuirl
    Lucid Security Corporation
    Email: mmcguirl@lucidsecurity.com