Be prepared
WITH NETWORK attacks increasing, companies are more interested in understanding what types of attacks are being launched against their networks and being alerted when they occur. Signature and/or protocol-based IDSes (intrusion detection systems) have traditionally been the solution of choice, but they often provide a number of false positives. ForeScout introduces a new approach in ActiveScout to provide more accurate incident alerts.
ActiveScout is comprised of three components: the ActiveScout Sensor, the Management Console, and the optional Central Control Console. The ActiveScout Sensor is the heart of the product and resides on the network where traffic will be analyzed. The Management Console is a GUI front end used to manage the ActiveScout Sensor. The Central Control Console is used in a multisensor environment, enabling management for all sensors at one central location.
The ActiveScout Sensor can be installed only on a system running RedHat Linux 7.2; the Management Console GUI can also be installed on Windows and Solaris systems. The installation process is fairly simple and includes some Linux-hardening procedures to better secure the system.
The Console GUI contains three main windows. The left pane shows the current monitoring tables, offering a quick, color-coded picture of reconnaissance activity or “bites” currently being monitored by ActiveScout.
The right pane shows a useful and mesmerizing map of the world with colored dots representing the geographic location of the source IP address used in an offensive action. The bottom pane displays traffic gauges and other statistics, such as how many packets per second ForeScout is analyzing.
The Current table contains detailed information about alerts, including: the source IP or resolved name; the reason the traffic was tagged, such as port scan or a bite; severity and state of the attack; and time remaining until the event is set to expire from the table.
Once the information expires, it moves to the History table. The History table contains all the historical information logged by ActiveScout over a specified period of time.
Double-clicking any event in the Current or History table brings up provides details about individual events, such as source IP, whether ActiveScout thinks the IP is real or spoofed, and geographic information. Administrators can see what actions ActiveScout took in response to an event, such as alerting administrators via e-mail or pager or blocking traffic from the source IP address.
ActiveScout allows administrators to define configuration policy on what data is sent in response to probes and port scans. Administrators can also generate some reports, although the process is very slow. Reports can be generated per host, per port, per location, over time, by bite events, and by tag events.
For our testing, we installed ActiveScout in our lab and launched a variety of port scans and Web server, SSH, and FTP attacks against systems on the protected network. ActiveScout detected all that were preceded by reconnaissance activity. It did not catch a direct attack we made on our IIS server without first port scanning the system.
Overall, ActiveScout introduces a unique approach to attack detection. Its failure to catch a direct, targeted attack demonstrates it should not be the only IDS on the network. Putting ActiveScout on the perimeter and a signature or anomaly-based IDS on the internal network should provide a strong, multilayer detection system.
