Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: ForeScout ActiveScout (was: Re: Intrusion Prevention)

Re: ForeScout ActiveScout (was: Re: Intrusion Prevention)

From: Frank Knobbe <fknobbe_at_knobbeits.com>
Date: 15 Dec 2002 16:51:13 -0600

Oded,

I have a few follow-up questions. Since you guys surely have the proper
intellectual property protection methods in place, I was hoping you
could explain in a bit more detail:

On Sun, 2002-12-15 at 12:15, Oded Comay wrote:

> - It is independent of the payload of the attack. This enables detection
> of attacks not known to the security community.

Please define 'independent of the payload', perhaps in a example. Right
now it sounds as if that sentence was taking of a marketing slick.

> - It is not sensitive to whether the attack comes from the same source (IP
> address) as the reconnaissance. Au contraire: this is actually where it
> shines.

And here is where I'm really curious about. How do you relate a packet
from IP address A to a scan that came from IP address B a week ago?
Consider using a simple class C with web, dns, and mail servers as an
example.

> - The detection is extremely accurate, allowing for automatic blocking to
> be enabled without fear of blocking legitimate business.

I would assume you are making use of a white-list. Would I still be able
to block half of the Internet through spoofs? Or are you watching the
completion of the initial 3-way h/s to avoid spoofs?

> - Attacks are detected at an extremely early stage, when the payload
> usually has no impact (yet), allowing time for effective blocking (using
> a firewall, or tearing down TCP connection before the TCP window opens
> up).

Uhm... how can you determine if the data constitutes an attack when
there is no payload yet?

I'm mostly curious about the IP address claim. What kind of marker do
you use to identify an 'attacker' (read, human) so that you can say with
accuracy that it is the same guy now on this IP who was here days ago on
an other?

I'm really more concerned about the solution to the technical challenge.
I hope you can explain it publicly without a Non-Disclosure. After all,
your technology should be protected through patents and what-not. There
have been other vendors in the past who openly explained the technology
behind their products, and those vendors are still in business. Please
don't be afraid, but satisfy out longing for the technical truth, now
that you sparked our interest...

Regards,
Frank

Received on Dec 15 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos