RE: Cisco CTR

["David J. Meltzer" <djm () intrusec com>]

Ron has a good synopsis.  The overlap in NeVo, Expose', and RNA is that they
all aim to fix the common problem IT and security administrators have had
relying on periodic audits to find vulnerabilities and the state of networks
that are constantly changing.  How they actually all work is quite different.

One of the big issues I hear is how do you correlate IDS data that just
happened to day old or week old vulnerability data with any degree of
accuracy?  How confident are you that the state of your network yesterday is
the same as the state today?

Active vs. Passive detection will be a long-running debate, but in my
estimation there are advantages and disadvantages to both approaches.   Some
of the highlights on both sides are:

- Active probing takes up bandwidth and resources - passive sniffing doesn't.


- Active can detect changes before they are used or exploited over the network
- passive will see a change at the 'first traffic' that reveals the change.

- Active will only detect a change each time it probes the asset, which means
its 'near real-time' (might be every 60 seconds, 15 minutes, or hour) whereas
passive may detect it faster if its immediately used after the change occurs.

- There are some changes/vulnerabilities you can't see passively or you may
have to wait around a long time to see.  The list of vulnerabilities you can
accurately detect passively is much shorter than the list of vulnerabilities
you can accurately detect actively.  The same is true of changes, which,
although a vulnerability may not be present, could be a policy violation or
create a vulnerability in the context of a network.

- There are some vulnerabilities that you can only infer passively in some
circumstances.  Traditionally this has been things like client-side browser
holes where you don't have access to the client systems (many IDS have
signatures for these).

-Dave
Intrusec, Inc.
www.intrusec.com


> -----Original Message-----
> From: Ron Gula [mailto:rgula () tenablesecurity com] 
> Sent: Thursday, November 20, 2003 9:38 AM
> To: focus-ids () securityfocus com
> Subject: Re: Cisco CTR
>
> At 04:54 AM 11/20/2003 -0700, Mark Teicher wrote:
> > Just curious on how NeVO compares to Intrusec Expose ??
>
> I have not seen Expose recently, but my thought was that it 
> was a continuous low-volume active scan that could launch 
> other vulnerability scanners when change was detected. NeVO 
> does the same sort of thing, but passively through network 
> packet/session monitoring. Besides looking for change in the 
> network, it also looks for the vulnerability. NeVO needs to 
> wait for a packet to be sent before it sees a host, port, 
> client, server or vulnerability. If folks deploy NeVO with a 
> Lightning Console, they can launch distributed Nessus scans 
> if they see a system or a vulnerability data that they would 
> like to follow up with an active scan.
>
> Ron Gula
> Tenable Network Security
> http://www.tenablesecurity.com
>
>
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------