Cadamier Network Security Corporation, Denver Colorado
Intrusion prevention without signatures
In today’s online world, you have to defend your network system against attacks.
Most network defenses in use today involve the use of firewalls and intrusion detection technologies. These technologies have proven to be useful for network protection, but they still lack enough intelligence to reliably discriminate attackers.
For a completely secure network, you must have an Intrusion Prevention System (IPS).
One approach to this problem was the creation of a honey pot. A honey pot is a system designed to be attractive to attackers, and is used to expose them before they can get into your network. The limitation of honey pot technology is their content and what they do with it.
For a honey pot to work, it's got to look interesting to an attacker. This requires that someone puts things into it that are designed to be interesting to attackers. The honey pot must also be designed to survive attacks as well. It needs to be monitored so that you know when someone takes the bait and tries to attack.
But with most honey pot systems you can’t do anything with the information learned, and many of the systems need operator intervention in order to provide additional protection.
Better Than A Honey Pot
Cadamier has a better approach to honey-pot technology. Our approach acts very much like a honey pot, but it needs a lot less help to do it's job and it goes a step further than most honey pot systems. It cloaks itself and all of your IP addresses, and it identifies attackers’ IP addresses and immediately blocks them.
This technology is called ActiveScout. It is an Intrusion Prevention System-IPS.
The ActiveScout sits in front of your firewall and it listens to your network to learn what Internet services your network uses. Once it has learned those services, it then begins it's job of baiting, and identifying attackers.
Baiting hackers is done through the use of virtual hosts and false responses. Most network attacks begin with some form of reconnaissance. It could be nothing more than connecting to known and advertised services, such as a web server, DNS, or email server. The only way to protect these systems and services has traditionally been through constant software updates and IDS systems combined with advanced firewalls.
There are however many other assessment methods used by attackers. They scour the Internet looking for more interesting services, like secure shell (SSH), SubSeven (a well known trojan horse), telnet, FTP, SMTP, Microsoft SQL and many more.
On the Internet, scanning is a common occurrence. It happens to everyone at least once a day. Scans take many forms, and they almost always come from another compromised Internet system.
Attackers don't want to leave a clear trail for authorities to follow, so they use other computers to do their dirty work and connect to those systems as anonymously as they can.
ActiveScout protects networks by providing false positive responses to all kinds of scanning techniques. These false responses let the attackers know that something interesting is out there. When an attacker reads the results of his scanning and finds a false positive response they like, the first thing the attacker will do is try is to connect with that vulnerable service and attack it.
When ActiveScout is protecting your network, scanners will see results that they want to see in vulnerable target networks. They may see Windows computers serving web pages or with known trojan horses installed, they may see Linux computers running out of date software or servers allowing vulnerable SSH connections. These are all things that attackers are attracted to. They see them as easy targets.
The ActiveScout remembers the information it feeds to Internet scans. When someone tries to connect with any of the false positive information it has provided, from anywhere on the Internet, the source of that scan is considered to be an attacker and is blocked.
Attackers identified by the ActiveScout can be blocked in two different ways:
Session Kills -This method of protection is simple and very effective. When someone is recognized as an attacker, all attempts to open connections with the protected network are stopped by the ActiveScout. This is done by injecting TCP session kills into the network.
These kills close the firewall ports and actively block all scans coming into the organization. This method has the advantage of working with any Internet connected system. The ActiveScout functions autonomously with the surrounding systems.
The second way attackers can be blocked is OPSEC Kills.
OPSEC Kills -This method of protection is perhaps the most powerful protection method, but it only works with Check Point firewalls. By linking the ActiveScout to your Check Point Firewall-1, the ActiveScout can tell the firewall who is attacking. The firewall will also block them from reaching any of your network resources for a pre-set time.
These two blocking methods can easily be combined, and because of the way that attackers are identified and blocked, someone intent on getting into your network would have to have many IP addresses from which to launch attacks in order to find any real non-published services on your network.
The end of service scanning as we know it...
Because of this new technology, scanning programs and techniques are now unreliable. Scanning systems try to identify a vulnerable computer's operating system. Other scans look for trojan horses or other remote administrative openings. All of these methods rely on scans.
With ActiveScout protection in place, the only attacks that could possibly succeed are ones that are targeted specifically against real advertised services, like web pages, DNS servers and email servers, and that's it. If the attacker directs their attention away from the real targeted service just one little bit, they are blocked.
The decoy information presented by ActiveScout is so attractive to attackers that it will be the first thing they attack. Then they'll be identified and blocked thereafter. If attackers go for the ActiveScout decoy first, you can block them from reaching any of your network resources instantly.
ActiveScout has some features which make it unique in the security industry, such as:
- No false positives
- No "Signature Updates"
- Reduced management costs
- Operating system included
- Pricing based on bandwidth
- Built in reporting
- Identifies slow attacks and new attacks
- Connecting scans with attackers
ActiveScout also has a unique configuration and monitoring console which provides geographical as well as network ownership information regarding each attacker.
This lets you not only see the address of the attacker, but it also provides the phone number to contact the ISP, as well as the location of the attacker.
We are always looking out for the security of your networks and on the front line are Cadamier’s Intrusion Prevention Systems (IPS).