RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

From: Matthew L. McGuirl (
Date: 12/16/02

  • Next message: Karl Lynn: "RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)"
    Date: Mon, 16 Dec 2002 14:13:41 -0500
    From: "Matthew L. McGuirl" <>
    To: "Adam Powers" <>, "Frank Knobbe" <>, <>

    > -----Original Message-----
    > From: Adam Powers []
    > Sent: Sunday, December 15, 2002 9:44 PM
    > To: Frank Knobbe;
    > Subject: RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

    > I would also be curious to know how you deal with NATed addresses and
    > proxies when you're relying on OPSEC or other firewall policy
    > change-o-matic technologies?

    > Example: If I'm a bad guy accessing a server protected by ActiveScout
    > from behind Company A's corporate NATed address(es), how do you
    > all the other users at Company A from being DOSed out of accessing the
    > resources on the protected server?

    In the scenario Adam describes, they can't help but paint with a broad
    brush (i.e. block the source IP) unless they are dropping individual TCP
    sessions. Following that path raises another unwieldy issue -- DOS-ing
    the firewall that's receiving the SAM "drop & inhibit" commands from the
    ActiveScout. If an attacker were to somehow learn that the target
    host/network was protected by an ActiveScout/FW-1 firewall combo he
    could conceivably send enough "marked" traffic at the target to
    seriously degrade the firewall's performance.


    Matt McGuirl
    Lucid Security Corporation