Re: Cisco CTR

[Renaud Deraison <deraison () nessus org>]

On Wed, Nov 19, 2003 at 02:07:55PM -0500, Martin Roesch wrote:
> > The map you get is mostly inaccurate in terms of network _topology_.
> > Have a look at the screenshot on your website - it basically shows
> > that groups of hosts are <N> hops away, and that your router actually
> > has two NICs. It looks very nice, though.
>
> Actually you're wrong, it demonstrates topology very well from the 
> viewpoint of a passive system that needs to know basic things like hop 
> counts in order to have an accurate way to gauge the impact of TTL 
> variations in passively acquired packet sets (e.g. NIDS).   

> From the point of view of various insects (who see things in two
dimensions only), my appartement is an infinite plane. That does
not make the resulting map very useable for human beings.

That being said....

> You're also 
> wrong that we can't determine topology, RNA is capable of discovering 
> topology explicitly by identifying routers, switches, proxies, NATs and 
> so on. 

... while I'm not sure that I understand what you meaning by
"discovering the topology explicitely" (does that mean sending
packets ?), it seems I misunderstood some features of RNA and was
fooled by the demo I saw at CSI - I am really sorry about that. 
If there could be better documentation that could clear up some 
confusion, but I am sorry to have made assumptions too quickly.


> >     . Network Asset Profiles
> >     . Asset Behavioral Profiles (with Lightning)
> >     . Security Vulnerabilities
> >     . Change Events (with Lightning)
>
> Well then it would appear that the difference is that we don't need a 
> separate product to do 50% of the job

I'm not sure we are talking about the same price ranges either :)


> > Note that for security vulnerabilties, we actually consider that people
> > do sometimes apply patches, so we don't just do an OS lookup in a
> > vulnerability database to report all the flaws that ever happened for 
> > that
> > particular OS release.
>
> Nor do we.

I'm not sure I really understand how RNA does its passive vulnerability
assessment then. You wrote in another email :

<< I suspect the reason that the RNA image showed the vulnerability
  information for OpenSSL because it identified the O.S. and since there   
  are security updates for OS-X pertaining to this issue, it really
  should list that vulnerability. >>

Which is how I thought you were doing an OS lookup in a vulnerability
database to determine which flaws exist on which OS. Care to explain how
it really works ? There seem to be a lot of confusion about RNA and none
of the SourceFire sales rep I saw at CSI could actually come up with
a good answer for this issue...

[...]
> Getting a list of the vulnerabilities that exist in an environment only 
> has a few uses such as improving the quality of the information coming 
> out of the NIDS by qualifying events.  

As long as the OS is not patched then. But then again, the marketing on
your website talks about finding security vulnerabilities.

Once again, there seems to be a lot of confusion about RNA due to the lack of
real technical and buzzwords-free documentation about it, which makes it
even more difficult to really grap what it can do and what are its limits.


                                -- Renaud

---------------------------------------------------------------------------
---------------------------------------------------------------------------