ATTACKING THE ATTACKER
22 November 2004 by Richard Chirgwin
ForeScout Launches SecuredWire in Oz
A newly-arrived security vendor is taking what I might call the honeypot principle as the basis of a suite of products designed to overcome the “day zero” problem.
ForeScout Technologies’ SecuredWire is, as general manager Richard Galpin told CommsWorld late last week, designed to focus on the attacker rather than the attack.
Here’s the operation which Galpin described: the ForeScout technology creates a weak “ghost” server outside the corporate firewall. Visible to the Internet, this virtual server will be polled and scanned by potential attackers (very much like a honeypot).
Having identified a weak address and port, the attacker will then try to initiate a conversation with that port, at which point the ForeScout server can capture the attacker’s IP address. It then blocks the address at the firewall for a user-configurable time (since most users are on dynamically-allocated addresses, Galpin said, there’s no point in blocking an ‘attack’ address forever).
While the virtual server has a normal IP address, the ‘real’ SecuredWire server does not. The company’s designed the system to communicate over a private Ethernet connection with the secured side of the network, to prevent attackers identifying the presence of the device.
There are, he said, three possible configurations. A SecuredWire server configured with one NIC – really only suitable for evaluation purposes – will be a fully visible member of the IP network it’s attached to. With two NICs, the device can sniff Internet connections without exposure, using a private IP address on the second NIC to communicate on the secured side of the corporate network.
A third, more secure configuration uses three NICs: one for the stealth sniffer, one for the private network, and the third providing a direct connection to the firewall.
The system can also be used to defend corporate networks against attacks such as worms which have already entered the system (for example, through a laptop). By shutting down only the source of malicious internal traffic, the company claims it can keep networks operational even after some machines have suffered virus or worm infection.
If you’re a pessimist like myself, you will have noticed that there is an attack vector which could be used against ForeScout: hit the system with a large number of attacks, apparently from a large number of originating IP addresses. If successfully used against a SecuredWire-defended e-commerce site, this could act as a denial-of-service attack in which ‘real’ users were unable to pass the address blocks.
However, as Galpin pointed out, this sort of attack depends on the assumption that the attacker knows SecuredWire is in use at the target site. In ‘stealth’ mode, with no IP address except that assigned to the ‘honeypot’ virtual server, finding the device wouldn’t be trivial. And the potential for such an attack, he said, is why the ‘time to live’ of the block is adjustable: an e-commerce site would set a comparatively short block time, to avoid the risk that genuine users might inherit an address that’s currently blocked.