Re: SourceFire RNA

[Ron Gula <rgula () tenablesecurity com>]

(Sruff deleted)

> > Of course scanners can detect change in networks. They may not be able 
> > to detect them as near time as a passive scanner like RNA, NeVO, 
> > Securify or Arbour's products, but doing a diff of multiple active 
> > scans shows lots of change. Products like Lightning, Foundstone, and 
> > eEye detect change in networks each time they run.
>
> I said "in real-time", we were doing diffs on active scans when you and 
> I helped to build the GNI IDS back at GTE-I in 1997 as I'm sure you'll 
> recall, that's nothing new.  Real-time detection of change is a far cry 
> from periodic interrogative passes though, as you know timeliness can 
> be a big factor in providing defense and response to a variety of 
> nondeterministic situations that can arise on networks that are poorly 
> served by active discovery methods.

Absolutely. This is why we added a distributed scanning componet to 
lightning where you can have tiered arrays of vuln scanners.  If you get 
the delta between your scans down, there is very good data. It may not 
be as real time with NeVO, but since both feed into Lightning we don't 
care.

100% passive scanning also suffers from the 'when are you not here' 
syndrom. Imagine a guy who reboots his laptop three times in one day and 
gets three IP addrs. From a passive point of view, this may look like 
three different IPs.

We have some customers where passive scanning just does not work for 
them, and they want to follow everything up with an active scan. We have 
other customers who are scared to even ping their large SQL servers. 
Most of them are in the middle and deploy a combination of active and 
passive scanning.




--rgula

---------------------------------------------------------------------------
---------------------------------------------------------------------------