Re: NeVO Scan Application review

[Ron Gula <rgula () tenablesecurity com>]

At 11:24 AM 11/25/2003 +1100, you wrote:
> Hi Ron,
>
> Any comments on this article?
>
> http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss205_art411,00.
> html
>
> Cheers
>
> Z


Thanks for asking. Apologies in advance for the long post, but if you
are reading this over the US Thanksgiving holiday, sit back and enjoy ;)

We felt the article accurately reflected the operation of a stand-alone
NeVO, but missed two key points. The first is that most large
enterprises can't scan as often as they need to and NeVO can fill the
gaps. The second is that NeVO was never really meant to be operated by
itself, but in conjunction with active Nessus scanners, your choice of
NIDS, the Lightning Console, hundreds of administrators and your CIO.

Having said that, one of the conclusions of the article was that NeVO
was not enterprise ready. The article was referring to a lack of a
central console or reporting which in version 1.0 was true. However,
with Lightning 2.0 and NeVO 1.2, this all changes. Both are shipping,
btw. You can place as many passive NeVOs, Nessus scanners and NIDS as
you need across an enterprise and do full passive and active
vulnerability correlation with Snort, Dragon, ISS, Intrusheild, etc.
The Console also tracks your vulnerabilities, IDS events, security
workflow across business units, critical network assets, the network
topology and produces detailed and executive reports.

Even if someone does not deploy NeVO with Lightning, they still get
their raw vulnerability information for "free" without crashing their
new VOIP switch. We have several "Nessus" friendly customers who have
developed their own reporting and have seamlessly dropped NeVO into
their operations. Also, I can't release the name of the site, but we
have been running NeVO on a popular security portal and received 67,000
unique visitors over a two week period. Of those visitors, NeVO
passively identified vulnerabilities in many of the web and smtp clients
and servers which interacted with the site. The point here is scale for
large enterprises. One NeVO scanner can provide a very detailed look
into the operating systems, network clients, network servers and
vulnerabilities involved on the largest enterprise networks.

Since NeVO is on 'all' of the time and it matches for specific
vulnerabilities, that means that the vulnerability and IDS correlation
which occurs at the Lightning Console is that much more accurate. Our
concern at Tenable is that doing correlation based on 'old' vulnerability
data (like on a month old Nessus scan) or 'relavent' vulnerability data
(like all of the IIS security holes) can produce false correlations. The
Lightning Console is a tool to communicate security info with non-security
admins. If we are going to send an alarm page about an attack to a DNS
admin at 3:00 am, I want to be very sure that her DNS server is indeed
vulnerable. NeVO helps the Lightning Console get there and maintain
that sort of accuracy.

And for those of you who don't like unix, NeVO will be available on
Windows 2000 and Windows XP with a shinny user interface early next year.
If you have seen our NeWT vulnerability scanner, it will have the same
sort of look and feel, but be passive.

Apologies for the long post ...

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com







---------------------------------------------------------------------------
---------------------------------------------------------------------------