Re: Cisco CTR

[Renaud Deraison <deraison () nessus org>]

On Mon, Nov 17, 2003 at 05:40:30PM -0500, Martin Roesch wrote:
> > What NeVO does not do though, is to draw a topology map based on the
> > number of hops separating the sensor from the remote hosts, since this 
> > is
> > only 1d data, and adding a 2nd or 3rd dimension to it relies on best 
> > guesses,
> > and in the end it does not reflect the reality.
>
> You can infer a number of interesting things from looking at MAC 
> addresses, hop data, peer information and so on.  In the general case 
> the information will be accurate, in some cases it will not, it's still 
> interesting and useful for certain applications.

The map you get is mostly inaccurate in terms of network _topology_.
Have a look at the screenshot on your website - it basically shows
that groups of hosts are <N> hops away, and that your router actually
has two NICs. It looks very nice, though.


> > Finally, keep in mind that NeVO is really just a sensor and that it's 
> > best to
> > exploit its data with our Lightning Console, otherwise I understand 
> > that the
> > amount of information might be difficult to grasp.
>
> We can see the value of having a process that identifies new/changed 
> things to be fully explored by active vulnerability scanners

So do we, that's why we suggest using NeVO in conjunction with the lightning
console.

> I don't doubt that you can do similar things with Nevo, it just seems 
> that the emphasis and focus of your product is in a different direction 
> than ours.  If that's not the case I'm sure that everyone here would 
> enjoy being enlightened as to what you guys are up to with your 
> product.

You are absolutely right - NeVO is a passive vulnerability scanner, with
all what it implies (get the list of open ports, guess the operating
system, determine who is talking to who, and finally show the list of
vulnerabilities we actually think are vulnerabilities).
Ie, to paraphrase the marketing about RNA :

        . Network Asset Profiles
        . Asset Behavioral Profiles (with Lightning)
        . Security Vulnerabilities
        . Change Events (with Lightning)

Note that for security vulnerabilties, we actually consider that people
do sometimes apply patches, so we don't just do an OS lookup in a
vulnerability database to report all the flaws that ever happened for that 
particular OS release. This is prone to false negatives but this is how we 
market NeVO - it's a tool to "get the temperature" of the security of a 
network, not to get a list of all the hypothetical flaws that might eventually 
be on the network.

I hope this clear things up,


                                -- Renaud

---------------------------------------------------------------------------
---------------------------------------------------------------------------