Hosting Provided By

RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

From: Matthew L. McGuirl <mmcguirl(at)lucidsecurity.com>
Date: Mon Dec 16 2002 - 14:13:41 EST

> -----Original Message-----
> From: Adam Powers [mailto:apowers@lancope.com]

> I would also be curious to know how you deal with NATed addresses and

> Example: If I'm a bad guy accessing a server protected by ActiveScout
prevent
> all the other users at Company A from being DOSed out of accessing the

In the scenario Adam describes, they can't help but paint with a broad brush (i.e. block the source IP) unless they are dropping individual TCP sessions. Following that path raises another unwieldy issue -- DOS-ing the firewall that's receiving the SAM "drop & inhibit" commands from the ActiveScout. If an attacker were to somehow learn that the target host/network was protected by an ActiveScout/FW-1 firewall combo he could conceivably send enough "marked" traffic at the target to seriously degrade the firewall's performance.

Regards,

Matt

Matt McGuirl                                
Lucid Security Corporation

Email: mmcguirl@lucidsecurity.com

text/x-vcard attachment: Matt McGuirl.vcf

Received on Mon Dec 16 14:17:05 2002

This message: [ Message body ]
Next message: Dudley, Brian (ISS Chicago): "RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)"
Maybe in reply to: Oded Comay: "ForeScout ActiveScout (was: Re: Intrusion Prevention)"
In reply to Adam Powers: "RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:04 EDT

Do you need help?