Passive Vulnerability Scanning

Last week, I wrote about Intrusion Detection Systems (IDSs) and about a couple of reports that evaluate some (but not all) of the more popular IDSs. IDSs are valuable tools for your network, as are firewalls, vulnerability scanners, packet sniffers and analyzers, port scanners, network mapping tools, and so on.

I recently learned about a new tool called a Passive Vulnerability Scanner (PVS). A PVS is a hybrid tool that combines the sniffing capabilities of a packet sniffer and analyzer with the capabilities of an active vulnerability scanner and an IDS.

As you know, a packet analyzer and sniffer promiscuously captures packets from the network so that you can analyze them; an active vulnerability scanner probes systems and devices to detect known vulnerabilities; and an IDS detects possible intrusion attempts as traffic moves over your network. A PVS can do all of those things, with a slight twist in the way it works. But a PVS isn't a replacement for those types of tools--instead, it's complementary.

You place a PVS on the network in a position in which it can monitor the traffic coming from various network segments, just like a network sniffer. The PVS then sniffs the traffic in real time and analyzes it by comparing it with a set of rules, like a vulnerability scanner does. Broken rules trip triggers that alert the PVS administrator to possible security problems on the network.

For example, you might have an environment in which none of the network systems should be running FTP servers and only certain systems should be running Web servers. If anyone from inside or outside your network initiates inbound FTP access to one of your systems, the PVS will alert you. Likewise, if the PVS detects Web traffic to a system that shouldn't be running Web services, the PVS will alert you. These sorts of detections are typical of IDSs, but the PVS can take the analysis further.

When detecting Web traffic in this example, the PVS can analyze the packets to try to determine what type of Web server software is in use. If it's an outdated version of Microsoft IIS or Apache, the PVS will alert the administrator that the system is running a vulnerable software package. The administrator becomes aware of the problem immediately without having to run a periodic vulnerability scan on individual systems to detect problems.

In one more example, someone could place a server in your demilitarized zone (DMZ) without your approval or knowledge. With a PVS in place, you might become aware of that action sooner than you would have otherwise because the PVS monitors traffic and doesn't depend on network device audits or on vulnerability scans or agent software running on individual systems. PVSs are independently deployed, centrally manageable, and scan for problems by looking at network traffic.

I only know of one PVS system available at the moment: Tenable Network Security's NeVO, which runs on the Red Hat Linux and FreeBSD UNIX platforms. Although NeVO doesn't run on Windows platforms, it's compatible with Windows networks. It can detect anomalies on Windows and UNIX networks, and because its logs are generated in a Nessus-style format, you can use any Nessus client, such as the Windows-based Nessus client, to access them. (Nessus is an active vulnerability scanner; for more information, go to http://www.nessus.org .)

You can learn more about NeVO at the first URL below. You'll also find a more detailed explanation of the PVS and NeVO, "Passive Vulnerability Scanning, Introduction to NeVO," in PDF format at the second URL below. http://www.tenablesecurity.com/nevo.html http://www.tenablesecurity.com/docs/passive_scanning_tenable.pdf

Tenable offers a 30-day demo of the product. If you try a copy on your network, send me an email message to let me know what you think of the PVS concept and how well it works for you in your environment.