by Lenny Liebmann

About Lenny Liebmann

Previous Columns

Re-thinking remote management
June 2002

Telecom buyer, BEWARE!
May 2002

SNMP's real vulnerabiity
April 2002

The fax of life
March 2002

Network self-denial
February 2002

Too many cooks?
January 2002

Tactical outsourcing: a smart play in uncertain times
December 2001

Boxed in
November 2001

Change management gets critical
October 2001

To be or NAT to be?
September 2001

Avoid legacy application headaches
August 2001

Whose client is it, anyway?
July 2001

Peer pressure
June 2001

Lenny LiebmannCounterespionage
for networks

Now network managers can use hackers’ own reconnaissance activities against them.

Network security continues to be a hot topic. That’s because C-level executives, as well as technology managers, realize just how serious the consequences of a successful attack can be.

In fact, if an attack is severe enough, the business might never fully recover.

Most companies build their security architectures using technologies such as firewalls, virus protection and password/authentication-based access control. Some particularly security-conscious organizations may add intrusion detection and/or so-called “honeypots” to the mix.

While these technologies are certainly important, they are clearly insufficient to stop today’s increasingly sophisticated attacks. Firewalls, for example, have one fundamental weakness: they have to let some traffic in. Once hackers identify which services are being allowed in, they can exploit those policies to gain access to the network.

Intrusion detection has its own shortcomings. It depends on the recognition of known attack “signatures” to alert security technicians about potential breaches. This is a very reactive approach and typically generates a large volume of false positives—which can sap staff productivity and create a dangerous “Boy Who Cried Wolf” climate.

Some Israeli engineers, however, have developed an entirely new technique for securing the network perimeter. Their innovative approach promises to proactively neutralize attacks before they can disrupt the business at all. It requires very little hands-on administration, and does not depend on incessant signature updates to maintain its effectiveness. It also does not produce all those distracting false positives.

The technology—called “ActiveResponse” from Forescout Technologies, San Mateo, CA—is based on one simple, powerful principle: virtually every network attack is preceded by network reconnaissance. Hackers scan and probe networks before they attack in order to get information about the target. Once they get that information, they then launch their attack based on what they have learned about exposed resources and network vulnerabilities.

Attacks can take many forms, which can make quickly identifying offensive traffic difficult. In fact, the latest “polymorphic” brand of attacks seem to defy recognition altogether.

Reconnaissance activity, on the other hand, is relatively easy to identify. There are only so many ways to recon a network: a port scan, a NetBIOS probe, et cetera.

With this new perimeter defense system, you focus on picking up the probing and scanning that invariably precede an actual attack, but you do not generate an alert. That would make your security techs crazy, because many networks are reconned all day long. Instead, you simply respond to the recon with false but believable information.

This counterfeit response accomplishes a few things. First, it protects the network by directing any subsequent attack to virtual rather than real resources. Second, it allows you to instantly and accurately identify that attack when it takes place—not by its apparent signature or characteristics, but by the fact that it is directed at the imaginary resources you offered its author. Third, because the attack is so quickly and precisely identified, it allows you to immediately take appropriate countermeasures, like blocking IP traffic from the originating host.

This security solution is not a honeypot. Honeypots are real hosts that are passively made visible to hackers in the hope that they will offer an attractive decoy target. In contrast, this technology proactively directs hackers to virtual decoy targets by intentionally feeding them false information.

This is thus a creative and potentially invaluable method for protecting the network perimeter against both known and unknown types of attacks, with minimal ongoing involvement by security staffers who already have plenty to do all day.

If you would like to get more information on ActiveResponse, you can visit its creators’ website. After you look over the material and/or get a demo, send me an e-mail and tell me what you think. And let me know whether you find the idea of scamming a hacker as esthetically appealing as I do.

For more information from Forescout Technologies: www.rsleads.com/207cn-262

Liebmann is an independent consultant specializing in the application of networking technologies to strategic business challenges. Send comments for publication to liebmann@comnews.com.