Accomplished hackers will always perform some sort of reconnaissance on a target network before mounting an attack - finding out details such as operating system types, application version, etc. The idea behind ActiveScout is that if the application can detect this activity it can later prevent it. Bogus host or port data traffic is marked, and the application responds to any future activity it thinks is coming from an attacker with such marked data. It then blocks the packets and stops any damage ever occurring.
ActiveScout can be configured to work in three different ways. Running on a machine with a single network card and an external IP address allows features such as geographical location resolution and time synchronization. An internal IP address offers better protection of the Scout machine as there is no direct communication with the outside world. The third configuration has the ActiveScout machine sitting in parallel with the firewall.
Installation of the software on a dedicated machine was fairly easy. The software comes on a single bootable CD-ROM. It features a customized, hardened version of Red Hat Linux, and requires at least a Pentium III 600MHz server to monitor 10Mbps traffic and a 1.3GHz processor to look after a 100Mbps network.
The management console that comes on the disk can run on Windows, Linux or Solaris, and the browser-based installation made for very little configuration. The console itself is striking, displaying a map of the world, which shows in close to real time where port scans and data are coming from. These can display information about suspicious traffic.
In running the tests the product worked very well, detecting, and then blocking every attempt to gain access to the test network. It successfully blocked scans such as Nessus and Nmap. As the application bases all its actions on false data provided to the attacker, spoofing a source address has no effect on the product.
It also reported very few false positives (these often happen during bedding in, mostly due to poor configuration). It did not report attacks on real hosts or ports and attacks with no preceding reconnaissance, but this software is not intended for these forms of attack.
As the cost of a small server is negligible this product can add an extra level of security at small cost.
Very good console with lots of scope for configuration of software. Blocked attacks with few false positives.
Will only detect attacks that carry out prior reconnaissance, which most worms do not do.
Simple, easy to use product, but only as part of a fuller security set-up.