IDS mailing list archives
RE: Cisco CTR
From: "David J. Meltzer" <djm () intrusec com>
Date: Fri, 21 Nov 2003 11:46:06 -0500
Ron has a good synopsis. The overlap in NeVo, Expose', and RNA is that they all aim to fix the common problem IT and security administrators have had relying on periodic audits to find vulnerabilities and the state of networks that are constantly changing. How they actually all work is quite different. One of the big issues I hear is how do you correlate IDS data that just happened to day old or week old vulnerability data with any degree of accuracy? How confident are you that the state of your network yesterday is the same as the state today? Active vs. Passive detection will be a long-running debate, but in my estimation there are advantages and disadvantages to both approaches. Some of the highlights on both sides are: - Active probing takes up bandwidth and resources - passive sniffing doesn't. - Active can detect changes before they are used or exploited over the network - passive will see a change at the 'first traffic' that reveals the change. - Active will only detect a change each time it probes the asset, which means its 'near real-time' (might be every 60 seconds, 15 minutes, or hour) whereas passive may detect it faster if its immediately used after the change occurs. - There are some changes/vulnerabilities you can't see passively or you may have to wait around a long time to see. The list of vulnerabilities you can accurately detect passively is much shorter than the list of vulnerabilities you can accurately detect actively. The same is true of changes, which, although a vulnerability may not be present, could be a policy violation or create a vulnerability in the context of a network. - There are some vulnerabilities that you can only infer passively in some circumstances. Traditionally this has been things like client-side browser holes where you don't have access to the client systems (many IDS have signatures for these). -Dave Intrusec, Inc. www.intrusec.com
-----Original Message----- From: Ron Gula [mailto:rgula () tenablesecurity com] Sent: Thursday, November 20, 2003 9:38 AM To: focus-ids () securityfocus com Subject: Re: Cisco CTR At 04:54 AM 11/20/2003 -0700, Mark Teicher wrote:Just curious on how NeVO compares to Intrusec Expose ??I have not seen Expose recently, but my thought was that it was a continuous low-volume active scan that could launch other vulnerability scanners when change was detected. NeVO does the same sort of thing, but passively through network packet/session monitoring. Besides looking for change in the network, it also looks for the vulnerability. NeVO needs to wait for a packet to be sent before it sees a host, port, client, server or vulnerability. If folks deploy NeVO with a Lightning Console, they can launch distributed Nessus scans if they see a system or a vulnerability data that they would like to follow up with an active scan. Ron Gula Tenable Network Security http://www.tenablesecurity.com -------------------------------------------------------------- ------------- -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Cisco CTR, (continued)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Ron Gula (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 19)
- Re: Cisco CTR Martin Roesch (Nov 19)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Re: Cisco CTR Martin Roesch (Nov 20)
- Re: Cisco CTR Renaud Deraison (Nov 20)
- Message not available
- Re: Cisco CTR Mark Teicher (Nov 20)
- Re: Cisco CTR Ron Gula (Nov 20)
- RE: Cisco CTR David J. Meltzer (Nov 25)
- Re: Cisco CTR Martin Roesch (Nov 27)