• United States
Editor in Chief

Shutting out the bad guys

Feb 17, 20033 mins
Intrusion Detection SoftwareNetwork Security

Simple is better in the security world, and short of pulling the plug on the Internet, it’s harder to get more simple than ActiveScout.

Simple is better in the security world, and short of pulling the plug on the Internet, it’s harder to get more simple than ActiveScout.

This intrusion-prevention tool from ForeScout Technologies is designed with the knowledge that the majority (some say 95%) of all network attacks are proceeded by some form of reconnaissance. ActiveScout sits outside the firewall watching for reconnaissance and, working with a firewall, shuts out bad guys when they try to attack using information gathered during that reconnaissance.

There are no port vulnerabilities to worry about or signatures to update, and no false positives to wrestle with.

Here’s how it works. A Scout running on a hardened version of Red Hat Linux (which comes with the product) on a Pentium III-600 or more powerful box is placed in front of a firewall and starts watching for port scans, NetBIOS probes, Simple Mail Transfer Protocol-based interrogations and other types of reconnaissance.

When these sweeps occur, the Scout responds with data that is similar to that sought – such as an IP service or a NetBIOS resource – but is bogus. If and when a hacker tries to come back using the bogus information, ActiveScout recognizes its handiwork and can deflect the attack and either sound alarms or, working with the firewall, shut out traffic from the offending host. Pretty slick.

Other ActiveScout components include the Management Server, which is used to collect information from multiple Scouts and distribute updates when a recon effort has been identified; and the Enterprise Manager, a Java-based tool for generating reports about attack attempts and responses.

One downside is ActiveScout only works with Check Point’s FireWall-1, although APIs for other firewalls are available. Another problem is that the box doesn’t do anything to protect you from attacks that aren’t proceeded by reconnaissance, which are apparently on the rise.

Nonetheless, it would appear that using ActiveScout at best would defeat some attacks before they got going and at least reduce the false positives that firewalls and intrusion-detection systems generate. And ActiveScout seems to require little care and feeding, which is a blessing given the hand-holding those other approaches require.

New CEO Kent Elliott says a system with a T-1 port costs about $10,000 retail. Higher-capacity boxes are in the works. Recognizing that most security threats are internal, Elliott also says ForeSout will come out in the third quarter with a product designed for use in front of internal firewalls to help companies identify local bad guys.