IDS mailing list archives
Re: NeVO Scan Application review
From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 24 Nov 2003 21:35:26 -0500
At 11:24 AM 11/25/2003 +1100, you wrote:
Hi Ron, Any comments on this article? http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss205_art411,00. html Cheers Z
Thanks for asking. Apologies in advance for the long post, but if you are reading this over the US Thanksgiving holiday, sit back and enjoy ;) We felt the article accurately reflected the operation of a stand-alone NeVO, but missed two key points. The first is that most large enterprises can't scan as often as they need to and NeVO can fill the gaps. The second is that NeVO was never really meant to be operated by itself, but in conjunction with active Nessus scanners, your choice of NIDS, the Lightning Console, hundreds of administrators and your CIO. Having said that, one of the conclusions of the article was that NeVO was not enterprise ready. The article was referring to a lack of a central console or reporting which in version 1.0 was true. However, with Lightning 2.0 and NeVO 1.2, this all changes. Both are shipping, btw. You can place as many passive NeVOs, Nessus scanners and NIDS as you need across an enterprise and do full passive and active vulnerability correlation with Snort, Dragon, ISS, Intrusheild, etc. The Console also tracks your vulnerabilities, IDS events, security workflow across business units, critical network assets, the network topology and produces detailed and executive reports. Even if someone does not deploy NeVO with Lightning, they still get their raw vulnerability information for "free" without crashing their new VOIP switch. We have several "Nessus" friendly customers who have developed their own reporting and have seamlessly dropped NeVO into their operations. Also, I can't release the name of the site, but we have been running NeVO on a popular security portal and received 67,000 unique visitors over a two week period. Of those visitors, NeVO passively identified vulnerabilities in many of the web and smtp clients and servers which interacted with the site. The point here is scale for large enterprises. One NeVO scanner can provide a very detailed look into the operating systems, network clients, network servers and vulnerabilities involved on the largest enterprise networks. Since NeVO is on 'all' of the time and it matches for specific vulnerabilities, that means that the vulnerability and IDS correlation which occurs at the Lightning Console is that much more accurate. Our concern at Tenable is that doing correlation based on 'old' vulnerability data (like on a month old Nessus scan) or 'relavent' vulnerability data (like all of the IIS security holes) can produce false correlations. The Lightning Console is a tool to communicate security info with non-security admins. If we are going to send an alarm page about an attack to a DNS admin at 3:00 am, I want to be very sure that her DNS server is indeed vulnerable. NeVO helps the Lightning Console get there and maintain that sort of accuracy. And for those of you who don't like unix, NeVO will be available on Windows 2000 and Windows XP with a shinny user interface early next year. If you have seen our NeWT vulnerability scanner, it will have the same sort of look and feel, but be passive. Apologies for the long post ... Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: NeVO Scan Application review Teicher, Mark (Mark) (Nov 25)
- <Possible follow-ups>
- NeVO Scan Application review Zach Forsyth (Nov 25)
- Re: NeVO Scan Application review Joel M Snyder (Nov 25)
- Re: NeVO Scan Application review Ron Gula (Nov 25)