nCircle.com >> 360 Security

« The Wisdom of The Tooth | Main | SCADAGard SIG To Be Established »

Views on Passive vs. Active Vulnerability Assessment

Douglas Schweitzer published an article in Computerworld entitled "Two Sides of Vulnerability Scanning". Mr. Schweitzer says that you shouldn't choose between passive and active vulnerability monitoring.

http://www.computerworld.com/newsletter/0,4902,99997,00.html?nlid=SEC

Here are a series of common questions that I am asked on the subject and my associated replies.

Question #1
- Do you believe that passive vulnerability assessment will ever take the place of active vulnerability assessment?

It is my opinion and experience that passive assessment will never replace active assessment. Passive has an opportunity to complement the active discovery process both in terms of time and space.

Time in terms of the fact that the passive discovery will always need to wait for application A to speak to application B before it can capture data, active scanners can ask when ever they want since they control the entire transaction and the timing aspects of the discovery.

Space in terms of the fact that not everything you want to discover will answer if you speak to it in an active manner. The over-arching objective is the accurate and timely discovery of vulnerability and exposures and the complement of the two is very powerful.

Question #2
- Are there any advantages that passive vulnerability assessment has over active vulnerability assessment?

I'd like to address both the advantages and disadvantages of passive discovery. First, lets get the real-world obstacles out of the way. Here are a few assumptions:

[Assumption #1] The customer is ready and willing to plug yet another set of traffic analyzers in to their global network. The number of points on the network where passive monitoring can be performed is scarce. Customers view monitoring real estate like analyzer ports on switches or network taps as already occupied or rare. If the strategy is to place the passive vulnerability scanner on each end-point, lets just say that obtaining a footprint on all the active TCP/IP devices on the network is even a greater challenge.

[Assumption #2] The traffic that is being captured is complete to the degree that it is useful to the analysis. This problem is both topological and cryptographically. We assume that the traffic is in the clear so much as we can perform some passive analysis and we assume that the placement of the passive capture can view most if not all of the session between application A and application B.

For the sake of this discussion, lets assume assumptions #1 and #2 are optimal for passive assessment in the customer’s environment.

The advantages include, but are not limited to:

[Advantage #1] Provides an observational analysis of client vulnerabilities. Unlike server software programs, client software programs do not have listening network ports. Passive vulnerability scanners can spot this client at the time it becomes active and does not require network ports (sockets) to perform its assessment.

[Advantage #2] Provides an effective method to address the massive address space of IPv6. The address space of IP version 6 is so large that walking it from the first IP assigned to the last may take you 15 years (an enumerative strategy). It is simply no longer practical to have an active discovery of everything on the "wire". Passive methods in watching for active addresses in this very large space ads value to a solid v6 vulnerability management strategy.

[Advantage #3] Zero-touch; no chance at all of ANY adverse effects on the server application since all you are doing is watching from a distance.

[Disadvantage #1] The main downside to passive vulnerability scanning can be summed up in one question. "How can the passive analyses NOT fall victim to DECOY or DECEPTION?" In security, we are dealing with an active opponent who can and will use methods of decoy and deception to their advantage. The problem with watching the "wire" for events (simple or complex) is the fact that your attacker can at any point exhibit events that mislead technology or resources to your opponent’s advantage. Active measures are resilient to this threat since they control the timing and content of the entire transaction. Essentially, this is why an active assessment is primary and passive is secondary.

If you subscribe to Disadvantage #1, you are not saying that passive assessment is useless. What you are saying is that the "cheap" header information that can be gathered is useful but should be treated with skepticism. The expensive passive analysis deep within the payload has diminishing value since there is little protection from DECOY and DECEPTION.

Question #3
- 18 months from now, what capabilities do you think we can expect from state of the art vulnerability assessment?

One thing is certain; customers will be able to go well beyond the discovery of vulnerabilities. They will be able to not only identify vulnerabilities but they will also be able to continuously discover higher-level elements like applications (down to the major and minor revisions) and protocols not through inference but by actually communicating with the hosts and having the evidence.

The leaders in this space will also keep the data collection separate from the analysis so that both will be able to evolve in parallel. These vendors will be able to bring together both passive and active data collection without breaking any of the analysis objectives.

Last but not least, if the data set for this passive analysis is already the output of network infrastructure, vendors should look to leverage the customers infrastructure before asking the customer to manage yet another hardware or software solution for this passive data acquisition.

nCircle understood these issues long ago and it is the only Vulnerability Management product on the market with an architecture that can leverage the strengths of both active and passive data without any compromise to the analysis. Through nCircle’s Patent Pending Factored Reasoning, IP360 is able to determine what data gathered in passive and active acquisition can be trusted and what data might just be placed on the network as decoy or to deceive the customer. It is through this trust that information can be leveraged in automated tasks and the system then become a force-multiplier for IT Operational staff. 2005 is going to be a huge year for the IP360 product and nCircle will drive the value of VM to new levels.

--Tim "TK" Keanini

Posted on February 28, 2005 2:41 PM |

Search


About

This page contains a single entry from the blog posted on February 28, 2005 2:41 PM.

The previous post in this blog was The Wisdom of The Tooth.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]