Hi
I already have the threat detection up and running, and IDS.
But it is not good enough.
So I have setup my own early warning system by just adding addresses and ports that is not in use and thus created sort of a honeypot/net or tripwire via deny access-lists and statics going to addresses not in use. Anyone trying to connect to the addresses or ports works like a tripwire so we know they are not a legitimate visitor.
and by logging those addresses and ports I can set filters and directly see when something hits those ports.
it also gives good statistics on what ports they are trying to access.
When it comes to spoofing ip addresses I can tell you that we see that most of the time they are actually not spoofed.
but many times they are hosts taken over and used for scanning. However sometimes we can se that the agressor is trying to hide itself via using several spoofed addresses when they scan, to make it difficult to say wich one was scanning, but that is quite rare. Simply because they do not need to do that since they are scanning from a victim address ie not something that will lead me to them. Since I get a early heads up I can automatically track them during their scans.
If Cisco would setup a "honeypot" feature in the ASA I think that would give a load of information to help out the admins.
fx a honeypot ssh deamon that can give information on who is trying to access and what accounts and passwords encryption keys and so on so that the admins can know what the attackers are up to.
So I do see your point but I respectfully disagree.
That said it is a good and valid point to make.
