Domain: forescout.com
Stories and comments across the archive that link to forescout.com.
Comments · 6
-
This will be news to Forescout.
We purchased a Forescout appliance 2 years ago which does the exact same thing. I wonder if the OSU research was reading http://www.forescout.com/counteract/index.html As an OSU Alum, I am embarrassed by this tripe.
-
Don't Panic PANIC BUTTON
netr00t's got solid advice for you.
http://slashdot.org/~netr00t
I would add, get a Lawyer, as in, have a Lawyer (anyway).
If you're in the USA, you should know by now, mostly morons make the "rules" of conduct, try not to participate.
Pay the Man:
http://www.forescout.com/index.php?url=products&se ction=activescout
http://www.winternals.com/
Useful:
http://www.sysinternals.com/SecurityUtilities.html
http://www.porcupine.org/forensics/forensic-discov ery/
http://www.fish2.com/tct/help-when-broken-into
Firewalls and Internet Security
http://www.wilyhacker.com/
First Ed. (online)
http://www.wilyhacker.com/1e/
Practical UNIX and Internet Security
http://www.oreilly.com/catalog/puis3/
FWIW
http://exuberant.ms11.net/index.html
http://exuberant.ms11.net/98sesp.html
http://exuberant.ms11.net/links.html
http://www.oldversion.com/ -
Product Plug
When I read the heading, I thought it was a review of the system that we installed last year from ForeScout called Active Response. This may sound like a product plug, but it is the only thing I have seen that ACTUALLY works.
I work for a very large media company with offices all over the place. I used to know about worms before they would show up in the news because there was always some office in asia that would get it at night and it would spread over our network before morning. Because it was my job to disinfect everyone's computer, my life revolved around these things.
I can tell you that I we haven't seen anything since we installed it.
I know it works because I got hit by the zotob worm on that first Monday when I was at home (I blame my wife) and was kicked off the network as soon as I plugged in. My Symantec (up to date!) didn't catch it.
From what I can tell, it uses all the unused addresses on the network as a honeynet. I would write a review myself if I knew more about it, but I can say that it works. -
Where to start?
I'm an IDS engineer by trade and I could go on for days about this topic. Yes, snort is great. No, it's not anywhere near enough by itself. That's why you take a varied approach. Snort is probably one of the best signature based IDSes available. The user community behind it is very strong and produces some great sigs, usually same day as the vulnerability is announced. But the downside is no protection against 0 day attacks. Therefore you have to have some behavioral systems in place as well. Problem with those is tuning out the false positives can be very difficult and time-consuming. Add a Honey pot/IPS with blocking capabilities like activescout to the mix and you're starting to get there. Add a SIM (security information management) product that can correlate data from all of your sensors and issue blocks to your firewalls and you're well on your way.
-
Re:Darknet used as filter.This method is already beeing used by an Intrusion Prevention System: ActiveScout from Forescout.
I have deployed it to protect our companys servers from worms and kiddies because our company is a reseller for it and so it did not cost us anything. But I would not pay anything (or at least not much) for it, because it can't defeat a blackhat targetting your webserver. And I dont fear worms and kiddies, as my servers are properly patched and my firewall is configured correctly. Also I expect the firewall vendors to include similar features in their products soon.
But on the other hand, if someone would want to implement the ActiveScout engine as open source software, I would not hesitate to suggest to every company to dedicate a linux box for this purpose. (I am a Security Consultant)
-
Re:Darknet used as filter.This method is already beeing used by an Intrusion Prevention System: ActiveScout from Forescout.
I have deployed it to protect our companys servers from worms and kiddies because our company is a reseller for it and so it did not cost us anything. But I would not pay anything (or at least not much) for it, because it can't defeat a blackhat targetting your webserver. And I dont fear worms and kiddies, as my servers are properly patched and my firewall is configured correctly. Also I expect the firewall vendors to include similar features in their products soon.
But on the other hand, if someone would want to implement the ActiveScout engine as open source software, I would not hesitate to suggest to every company to dedicate a linux box for this purpose. (I am a Security Consultant)