Hybrid software deflects attackers with guile
- By Trudy Walsh
- Mar 03, 2004
Fremont, Calif., a Silicon Valley city of 200,000, doesn't sound like a top target for network hacks. But when war began last spring in Iraq, the city's Web site, at www.ci.fremont.ca.us
, received scores of hits from locations in the Middle East.
The city had just installed ActiveScout intrusion-prevention software from ForeScout Technologies Inc. of San Mateo, Calif. The software has a map that shows the geographic origin of attempted attacks.
'It really opened our eyes,' said Mike Towan, Fremont's network administrator. 'We were surprised at the kind and amount of traffic at our gateway that we weren't aware of before.'
Towan described ActiveScout as a hybrid of a honey pot'a system that lures hackers, then blocks their IP addresses'with intrusion detection. ActiveScout learned the network rapidly and began to offer up services to suspected hackers 'to tell them the site is wide open,' he said. 'When they come back to exploit what they think are vulnerabilities, ActiveScout blocks them.'
The software resides outside the firewall on the city's predominantly Microsoft Windows 2000 network and monitors all incoming traffic.
Towan said he was surprised at how fast the software began blocking suspicious activity.
Anecdotally, he said, the $10,000 software has paid for itself. The city at first had considered installing intrusion-detection hardware, but the requirements for log reviews, alert analysis and other maintenance would have overwhelmed the two-person security team.
ActiveScout monitors itself, 'which frees me up to do other network administration,' Towan said.
Trudy Walsh is a senior writer for GCN.