Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Matthew L. McGuirl (mmcguirl_at_lucidsecurity.com)
Date: Mon Dec 16 2002 - 13:13:41 CST
> -----Original Message-----
> From: Adam Powers [mailto:apowerslancope.com]
> Sent: Sunday, December 15, 2002 9:44 PM
> To: Frank Knobbe; focus-idssecurityfocus.com
> Subject: RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
> I would also be curious to know how you deal with NATed addresses and
> proxies when you're relying on OPSEC or other firewall policy
> change-o-matic technologies?
> Example: If I'm a bad guy accessing a server protected by ActiveScout
> from behind Company A's corporate NATed address(es), how do you
> all the other users at Company A from being DOSed out of accessing the
> resources on the protected server?
In the scenario Adam describes, they can't help but paint with a broad
brush (i.e. block the source IP) unless they are dropping individual TCP
sessions. Following that path raises another unwieldy issue -- DOS-ing
the firewall that's receiving the SAM "drop & inhibit" commands from the
ActiveScout. If an attacker were to somehow learn that the target
host/network was protected by an ActiveScout/FW-1 firewall combo he
could conceivably send enough "marked" traffic at the target to
seriously degrade the firewall's performance.
Lucid Security Corporation