ActiveScout Nips Attacks in the Bud

By Francis Chu  |  Posted 2002-04-01

ActiveScout Nips Attacks in the Bud


ActiveScout Nips Attacks in

the Bud">

ForeScout Technologies Inc.s ActiveScout 2.1 IDS provides an extra layer of protection from attackers and certain viruses that will be appreciated at security-conscious sites.

Although its more expensive than its competition, an ActiveScout purchase will be money well-spent for companies that place a premium on security. In eWeek Labs tests, ActiveScout 2.1 easily warded off the common or known attacks we threw at it while also quickly identifying and responding to the attacks we launched on our test network.

We found ActiveScout, which shipped in February, to be a much better intrusion detection system than many signature-based IDSes because it proactively detects "reconnaissance," such as port scans, that attackers make before unleashing an actual attack.

ActiveScout, like many IDSes, cannot thwart DDoS (distributed-denial-of-service) attacks, but it can help stop DDoS attacks from propagating by returning spoofed data to prevent probes from getting real network data.

ActiveScout 2.1s starting price is $8,995, and ForeScout charges customers based on the amount of bandwidth ActiveScout monitors; for a maximum bandwidth of 100M bps, the price is $12,995 per ActiveScout installation. Future pricing will be on a per-system basis. By comparison, signature-based IDSes such as NFR Security Inc.s Network Intrusion Detection appliance cost from $2,700 to $4,500. Internet Security Systems Inc.s RealSecure Network Sensor, which also provides protocol analysis to detect network abnormalities during attacks, starts at $8,995.

ActiveScout resides outside the firewall and monitors all incoming and outgoing traffic. ActiveScout uses ForeScouts proprietary ActiveResponse technology to "trick" attackers with spoofed responses to port scans and probes. When the system detects suspicious traffic, it sends back bogus data packets that make attackers think theyve found a way in.

ActiveResponse also works on viruses, such as Code Red, which propagate by scanning for open ports on network systems. Using advanced algorithms and policies, ActiveScout automatically fabricates and returns tagged information that satisfies the reconnaissance attempt. When the attacker tries to use the fake information to access the monitored network, ActiveScout initiates an IP reset, stopping the intrusion.

ActiveScouts counterintelligence operations are transparent to the network and users, and it uses a minimum amount of bandwidth to respond to attacks.

ActiveScout can also work with firewall systems to stop attacks by telling the firewall to block addresses and terminate connections. The current ActiveScout version works only with Check Point Software Technologies Ltd.s FireWall-1, although ForeScout plans to add support for more firewalls later this year, officials said.

The software-based IDS must be installed on a PC or server running Red Hat Inc.s Red Hat Linux 7.2 server. Installation was straightforward, and ForeScout provided detailed instructions, but some Linux knowledge will help.

We installed the ActiveScout 2.1 software on an IBM xSeries 330 server running Linux 7.2. ActiveScout requires at minimum 128MB of memory and at least 10GB of disk space. ActiveScout supports only 10/100M-bps Ethernet but will support Gigabit Ethernet in future releases, officials said.

The IDS console provides an easy-to-use interface for policy management and lets administrators easily see suspicious network activities at a glance. We could also view simple reports of the activities posted by ActiveScout and fine-tune policy settings.

We set up ActiveScout with the default policy and used Insecure.orgs Nmap port scanner to scan several systems on a test network. ActiveScout quickly picked up and responded to the port scans. It also held up well when we used the security scanner and hacking tool to pound it with common attacks.

Technical Analyst Francis Chu can be reached at

ActiveScout 2


ActiveScout 2.1


ForeScout Technologies updated IDS uses counterintelligence to provide enterprises with an early-warning system to better secure network perimeters from attacks. But this extra layer of protection is expensive.

SHORT-TERM BUSINESS IMPACT // ActiveScout is easy to install in the front line of any network, and its default policies will enable IT managers to quickly start looking for potential attacks.

LONG-TERM BUSINESS IMPACT // ActiveScout IDS will in the long run be a better network safeguard than signature-based products because it can detect reconnaissance events, even from unknown attacks. When properly configured, ActiveScout runs automatically and requires minimal maintenance.

PROS // ActiveResponse technology provides early attack detection and prevention; easy to set up.

CONS // Expensive; lacks Gigabit Ethernet support.

ForeScout Technologies Inc., San Mateo, Calif.; (650) 358-5580;

Rocket Fuel