Re: Cisco CTR

[Martin Roesch <roesch () sourcefire com>]

On Nov 17, 2003, at 4:55 PM, Renaud Deraison wrote:

> On Mon, Nov 17, 2003 at 03:03:32PM -0500, Martin Roesch wrote:
>
> [Disclaimer: I co-designed NeVO]
>
> > Nevo is being billed as
> > a passive vulnerability "scanner" whereas RNA is being billed as a
> > passive network discovery system.
>
> No - you're playing with words.

That wasn't my intention, I was just trying to highlight the difference 
in the focus of the products.

> When  designing a vulnerability scanner,
> you need it to give you information about the network assets (OS,
> ports, versions...) - the simple fact that a mysterious port is open 
> can be a
> vulnerability in itself.

Right.

> Having designed Nessus before NeVO, I decided
> to take the exact same approach: report whatever can be reported as 
> long as it
> make sense (reporting the "MAC address" of a host which is one hop away
> does not, for instance).

Reporting the MAC address of the gateway interface that the traffic is 
coming from can be interesting if you're interested in topology.

> What NeVO does not do though, is to draw a topology map based on the
> number of hops separating the sensor from the remote hosts, since this 
> is
> only 1d data, and adding a 2nd or 3rd dimension to it relies on best 
> guesses,
> and in the end it does not reflect the reality.

You can infer a number of interesting things from looking at MAC 
addresses, hop data, peer information and so on.  In the general case 
the information will be accurate, in some cases it will not, it's still 
interesting and useful for certain applications.

> Finally, keep in mind that NeVO is really just a sensor and that it's 
> best to
> exploit its data with our Lightning Console, otherwise I understand 
> that the
> amount of information might be difficult to grasp.

We can see the value of having a process that identifies new/changed 
things to be fully explored by active vulnerability scanners, I'm not 
suggesting that you can replace a vulnerability scanner with a PNDS.

There was an earlier post referring to RNA and Ron added that Nevo was 
available and did similar things.  I was interested in contrasting them 
so that the readers of this list who are seeing this as a brand new 
technology would have some points of reference as to where they are 
similar and where the differ.  From the marketing that I've seen on 
your web site you're positioning Nevo as a passive vulnerability 
scanning system, our marketing describes a different set of objectives. 
 I don't doubt that you can do similar things with Nevo, it just seems 
that the emphasis and focus of your product is in a different direction 
than ours.  If that's not the case I'm sure that everyone here would 
enjoy being enlightened as to what you guys are up to with your 
product.

    -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------