RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

From: Matthew L. McGuirl (mmcguirl@lucidsecurity.com)
Date: 12/16/02

  • Next message: Karl Lynn: "RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)" 
    Date: Mon, 16 Dec 2002 14:13:41 -0500
From: "Matthew L. McGuirl" <mmcguirl@lucidsecurity.com>
To: "Adam Powers" <apowers@lancope.com>, "Frank Knobbe" <fknobbe@knobbeits.com>, <focus-ids@securityfocus.com>

    > -----Original Message-----
    > From: Adam Powers [mailto:apowers@lancope.com]
    > Sent: Sunday, December 15, 2002 9:44 PM
    > To: Frank Knobbe; focus-ids@securityfocus.com
    > Subject: RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

    > I would also be curious to know how you deal with NATed addresses and
    > proxies when you're relying on OPSEC or other firewall policy
    > change-o-matic technologies?

    > Example: If I'm a bad guy accessing a server protected by ActiveScout
    > from behind Company A's corporate NATed address(es), how do you
    prevent
    > all the other users at Company A from being DOSed out of accessing the
    > resources on the protected server?

    In the scenario Adam describes, they can't help but paint with a broad
    brush (i.e. block the source IP) unless they are dropping individual TCP
    sessions. Following that path raises another unwieldy issue -- DOS-ing
    the firewall that's receiving the SAM "drop & inhibit" commands from the
    ActiveScout. If an attacker were to somehow learn that the target
    host/network was protected by an ActiveScout/FW-1 firewall combo he
    could conceivably send enough "marked" traffic at the target to
    seriously degrade the firewall's performance.

    Regards,
     
    Matt

    Matt McGuirl
    Lucid Security Corporation
    Email: mmcguirl@lucidsecurity.com 

    

    

    


    Relevant Pages
      

    • Re: Error number: 0x80090008
      ... Since the only other threads with the same error code were system's using 3rd party firewalls, suggest you disable it, enable the native XP firewall, and then rebuild the winsock stack. ... and cookie blocker) and are any 3rd party toolbars installed ... 
      (microsoft.public.windowsupdate)
    • Re: CE 6.0 Networking Problems
      ... make sure that there is no firewall running on your ... settings for the driver (maybe the register stride is something other than ... and my target gets 10.7.236.13. ... Right now I am simply trying to ping my device but am not having any ... 
      (microsoft.public.windowsce.embedded)
    • Re: CE 6.0 Networking Problems
      ... (there's a firewall between you and the Internet), ... I am having problems connecting my custom target device, ... Right now I am simply trying to ping my device but am not having any ... 'Firewall' catalog item included in my image, so I don't think it's the ... 
      (microsoft.public.windowsce.embedded)
    • I cannot fix those issues!!! (0x80072ee7 and 0x8024402c)
      ... I have a bunch of PC running behind an ISA2K SP2 with enabled firewall ... clients - not using the ISA as proxy. ... SET TO USE A PROXY SERVER - it uses the firewall client towards the ISA ... Target version: 5.5.3790.2182 Required: 5.5.3790.2182 ... 
      (microsoft.public.windowsupdate)
    • Re: ssh and X11Forwarding
      ... firewall, and from the firewall to the target, then you'll need x support ... with multiple ssh's and port forwards), then you only need x support on ... 
      (FreeBSD-Security)
    		

    




    •