Cadamier Products

Firewall Security

WAN to VPN Conversion

Content Filtering

Intrusion Prevention

Intrusion Detection

Secure Hosting Systems

Spam Prevention

Log Collection Systems

Enterprise Switching Systems

Routing & Wide Area Networks

Intrusion prevention without signatures.

Most network defenses in use today involve the use of Firewalls and Intrusion Detection technologies. These technologies have proven and useful for network protection, but they still lack enough intelligence to discriminate attackers reliably.

One approach to this problem was the creation of a Honey Pot - a system designed to be attractive to attackers, and to expose them before they can get into your network. The limitations of honey pot technology are in their content and what they do with it. For a honey pot to be attractive, it's got to look interesting to an attacker - this requires that someone puts things into it designed to be interesting - it also requires that the honey pot be designed to survive attacks as well, finally, it needs to be monitored so that you know when someone takes the bait. Even then, there are few honey pot systems that can do anything with the information learned, and many of the systems need operator intervention in order to provide additional protection.

There is a better approach to honey-pot technology. This approach act's very much like a honey pot, but it needs a lot less help to do it's job. This approach also goes a step further that most honey pot systems - by cloaking itself and all of your IP addresses, and by identifying attackers IP addresses and blocking them immediately.

Enter, the ActiveScout.

This technology is called ActiveScout. The ActiveScout sits in front of your firewall and it listens to your network to learn what Internet services your network uses. Once it has learned those services, it then begins it's job of baiting, and identifying attackers.

Baiting hackers is done through the use of virtual hosts and false responses. Most network attacks begin with some form of reconnaissance - it could be nothing more than connecting to known and advertised services, such as a web server, DNS or Email server - and the only way to protect these systems and services has been through constant software updates and IDS systems combined with advanced firewalling.

There are however many other assessment methods used by attackers. They scour the Internet looking for more interesting services - like secure shell (SSH), SubSeven (a well known trojan horse), telnet, FTP, SMTP, Microsoft SQL and many more.

On the Internet, scanning is a common occurrence - it happens to everyone at least once a day. Scan's take many forms, and they almost always come from another compromised Internet system. Attackers don't want to leave a clear trail for authorities to follow, so they use other computers to do their dirty work and connect to those systems as anonymously as they can.

ActiveScout protects networks by providing false positive responses to all kinds of scanning techniques. These false responses let the attackers know that something interesting is out there - and when an attacker reads the results of his scanning and finds a false positive response they like, the first thing the attacker will do is try is to connect with that vulnerable service and attack it.

When ActiveScout is protecting your network, scanners will see results that they want to see in vulnerable target networks - they may see Windows computers serving web pages or with known trojan horses installed, they may see Linux computers running out of date software or servers allowing vulnerable SSH connections - all things that attackers like - easy targets.

The ActiveScout remembers the information it feeds to Internet scans. When someone tries to connect with any of the false positive information it has provided, from anywhere on the Internet, the source of that scan is considered to be an attacker and is blocked.

Blocking Attackers

Attackers identified by the ActiveScout can be blocked in two different ways:

Session Kills - This method of protection is simple and very effective - when someone is recognized as an attacker, all attempts to open connections with the protected network are stopped by the ActiveScout by injecting TCP session kills into the network. These kills close the firewall ports and actively block all scans coming into the organization. This method has the advantage of working with any Internet connected system and the ActiveScout functions autonomously with the surrounding systems.

OPSEC Kills - This method of protection is perhaps the most powerful protection method, and it only works with Check Point firewalls. By linking the ActiveScout to your Check Point Firewall-1, the ActiveScout can tell the firewall who is attacking - and the firewall will also block them from reaching any of your network resources for a preset time.

These two blocking methods can be easily combined, and because of the way that attackers are identified and blocked, someone intent on getting into your network would have to have many IP addresses to launch attacks from in order to find any real non-published services on your network.

The end of service scanning as we know it...

Because of this new technology, scanning programs and techniques are now unreliable. Scanning systems try to identify a vulnerable computer's operating system. Other scans look for trojan horses or other remote administrative openings. All of these methods rely upon scans.

With ActiveScout protection in place, the only attacks that could possibly succeed are ones that are targeted specifically against real advertised services - like web pages, DNS servers and email servers - and that's it. If the attacker directs their attention away from the real targeted service just one little bit, they are blocked.

The decoy information presented by the ActiveScout is so attractive to attackers that it will be the first thing they attack - and then they'll be identified and blocked thereafter. And if attackers go for the ActiveScout decoy first, you can block them from reaching any of your network resources instantly.

Other benefits

Because of the way that ActiveScout works, it has some features which make it unique in the security industry. These features are:

• No false positives
• No "Signature Updates"
• Reduced management costs
• Operating system included
• Pricing based on bandwidth
• Built in reporting
• Identifies slow attacks and new attacks
• Connecting scans with attackers

ActiveScout also has a unique configuration and monitoring console which provides geographical as well as network ownership information regarding each attacker. This lets you not only see the address of the attacker, but it also provides the phone number to contact the ISP, as well as where in the world this attacker is likely to be found.

Tell me more!!!

If you would like to learn more about the Cadamier ActiveScout solution, send an email to us at sales@cadamier.com or call us at 303-394-9426.