Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

From: Matthew L. McGuirl <mmcguirl_at_lucidsecurity.com>
Date: Mon, 16 Dec 2002 14:13:41 -0500

> -----Original Message-----
> From: Adam Powers [mailto:apowers_at_lancope.com]
> Sent: Sunday, December 15, 2002 9:44 PM
> To: Frank Knobbe; focus-ids_at_securityfocus.com
> Subject: RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

> I would also be curious to know how you deal with NATed addresses and
> proxies when you're relying on OPSEC or other firewall policy
> change-o-matic technologies?

> Example: If I'm a bad guy accessing a server protected by ActiveScout
> from behind Company A's corporate NATed address(es), how do you
prevent
> all the other users at Company A from being DOSed out of accessing the
> resources on the protected server?

In the scenario Adam describes, they can't help but paint with a broad
brush (i.e. block the source IP) unless they are dropping individual TCP
sessions. Following that path raises another unwieldy issue -- DOS-ing
the firewall that's receiving the SAM "drop & inhibit" commands from the
ActiveScout. If an attacker were to somehow learn that the target
host/network was protected by an ActiveScout/FW-1 firewall combo he
could conceivably send enough "marked" traffic at the target to
seriously degrade the firewall's performance.

Regards,
 
Matt

Matt McGuirl
Lucid Security Corporation
Email: mmcguirl_at_lucidsecurity.com

Received on Dec 16 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos