Attackers usually scan for vulnerable hosts and services using ping sweeps, and TCP/UDP port and application scans. Then attackers target the hosts and services they discovered in the scan. ActiveScout monitors traffic on the wire and logs scans; the software responds to such scans with simulated data on spoofed sites built on unused IP addresses and port numbers from your protected network. ActiveScout remembers the ports it uses to respond to scans, and when there is an attack on those ports, ActiveScout is prepared to block it. The theory is that only returning attackers would try to exploit an otherwise unavailable service.
|
Good News
TCP state checking and TCP ISN randomization.
Highly configurable QoS and bandwidth management.
CLI on both LSMS 7.0 and Brick.
Bad News
Lacks object grouping in Enterprise Manager.
Supports SNMPv1 only.
|
I had been using ActiveScout 2.1 to monitor our network for several months before testing version 2.5. I found that not only was the product unobtrusive, but after I tweaked it some, it monitored as expected and had a very low false-error rate. After receiving the new version, I deployed another ActiveScout on a separate network.
Version 2.1 had one network issue that was fixed in 2.5. In the lab we use a NetScreen-100 firewall that sits directly behind our router. The NetScreen is a transparent firewall, which gave me trouble because the ActiveScout 2.1, when spoofing unused IP addresses, also spoofed those that fell into our DHCP range. By stealing the IP addresses, the ActiveScout rendered DHCP worthless.
Version 2.5 solves this problem in two ways. First, ActiveScout 2.5 will check to see if it has used an IP address before, and if it hasn't, it determines if the address is in use through the ARP (Address Resolution Protocol). If there is no response to the ARP, the IP address is not in use and ActiveScout will use it. If a host comes on the network at a later date and uses the IP address, ActiveScout will notice and put the IP address into its "do not use" list.
It's All in the Management
Before version 2.5, each ActiveScout was individually managed via Site Manager. ActiveScout 2.5 brings centralized management to the table. The enterprise management server runs on its own Linux installation separate from the ActiveScout. The management tool is divided into two parts: the Central Console Unit (CCU), a central server to which multiple ActiveScouts can send data, and the Enterprise Manager console, the management GUI for the CCU. Enterprise Manager is so similar to Site Manager that it is easy to transition from one to the other. For my tests I needed to configure the Enterprise Manager console by providing the ActiveScout IP addresses, administrator IDs and passwords.
The Enterprise Manager offers flexible user-based management access control. Limiting administrators to specific tasks, ActiveScouts or groups of ActiveScouts is simple. The ActiveScout won't let you create groups of users, however, which would allow you to more effectively manage administrative access. That means if you want to make a uniform change to multiple administrators, you must touch each administrative object.
The new extensive logging of system and administrative events is a welcome addition. There are two types of logs. Audit logs record administrative activity stating what changed, when it changed and who changed it. Event logs record system events, such as ActiveScouts' going up or down. An audit log is created for each ActiveScout as well as for each event in the Enterprise Manager. At the ActiveScout level, all administrative activity is logged to the audit log and can be sorted by event details, such as the administrator name, the host, a date/ time stamp and the action that was taken. The audit log fields are sortable as well as searchable. Logs can be exported to third-party applications, but that feature wasn't available in the alpha version I tested.
Filters can be added to event and audit logs by defining the log entries that should be displayed, thereby filtering out those you don't need to see. To filter out database synchronization events, I had to add all events and then remove the individual event types I didn't want to have displayed. Filters can be defined based on several criteria, including event severity, event groups and event names. Multiple filters can be combined to display exact information, but only one filter can be displayed at one time. Unfortunately, the product didn't let me save filters for reuse.
ActiveScout 2.5 also includes SNMP support for management and SNMP traps. I configured the individual ActiveScouts and the Enterprise Manager to send SNMP traps to a Hewlett-Packard OpenView manager. I also made SNMP queries available to specific, protected subnets. In addition, I walked the MIB tree. Be aware that this is SNMPv1, so the traffic passes in the clear through your network. I recommend you hold off on using the SNMP function until the next release, when ForeScout says it will implement SNMPv3.
|
Vendor Information
ActiveScout Enterprise, $16,000. Available: Oct. 1. ForeScout Technologies, (650) 358-5580
www.forescout.com
|
Finally, ActiveScout's event playback is truly a geek feature. Combined with the day/night map overlay, the playback features compresses time to show historical activity. Unfortunately, the replay shows only the location of the events (according the various registries) and the duration of each event. Clicking on an event in the map doesn't do anything.
With this version of ActiveScout, ForeScout Technologies is on the right track for robust multiunit management. The ability to limit administrator access to specific tasks and specific ActiveScouts is critical for scalable management. The detailed audit logs keep tabs of system changes and the logs sorting/searching facilities present the data you need.
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as a independent consultant in central New York. Send your comments on this article to him at mfratto@nwc.com.
RSS
