Hybrid software deflects attackers with guile

Fremont, Calif., a Silicon Valley city of 200,000, doesn't sound like a top target for network hacks. But when war began last spring in Iraq, the city's Web site, at www.ci.fremont.ca.us, received scores of hits from locations in the Middle East.

The city had just installed ActiveScout intrusion-prevention software from ForeScout Technologies Inc. of San Mateo, Calif. The software has a map that shows the geographic origin of attempted attacks.

'It really opened our eyes,' said Mike Towan, Fremont's network administrator. 'We were surprised at the kind and amount of traffic at our gateway that we weren't aware of before.'

Towan described ActiveScout as a hybrid of a honey pot'a system that lures hackers, then blocks their IP addresses'with intrusion detection. ActiveScout learned the network rapidly and began to offer up services to suspected hackers 'to tell them the site is wide open,' he said. 'When they come back to exploit what they think are vulnerabilities, ActiveScout blocks them.'

The software resides outside the firewall on the city's predominantly Microsoft Windows 2000 network and monitors all incoming traffic.

Towan said he was surprised at how fast the software began blocking suspicious activity.

Anecdotally, he said, the $10,000 software has paid for itself. The city at first had considered installing intrusion-detection hardware, but the requirements for log reviews, alert analysis and other maintenance would have overwhelmed the two-person security team.

ActiveScout monitors itself, 'which frees me up to do other network administration,' Towan said.

About the Author

Trudy Walsh is a senior writer for GCN.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above