Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Review: Passive Vulnerability-Assessment Scanners

With all the detection technology available in network and host scanners, not to mention configuration- and patch-management tools, what's the use of yet another network discovery method? Passive vulnerability assessment takes a unique approach: In monitoring network traffic, it attempts to classify a node's operating system, ports and services, and to discover vulnerabilities an active scanner like Nessus or Qualys might not find because ports are blocked or a new host has come online. The data may then provide context for security events, such as correlating with IDS alerts to reduce false positives.

Passive VA Scanner Features

Click to Enlarge

Passive analysis offers two key advantages. The first is visibility. There's often a wide gap between what you think is running on your network and what actually is. Both network and host scanners report only what they see. Scanners are thwarted by network and host firewalls. Even when a host is live, the information gathered is sometimes limited to banner checks and some noninvasive configuration checks. If your scanner has the host credentials, it can query for more information, but false positives are a huge problem, and you still may not see everything. Further, rootkits that install themselves may run on a nonscanned port or, in the case of UDP, may not respond to a random probe. If an active vulnerability assessment scanner doesn't see it, it doesn't exist to the scanner.

Host firewalls are common even on server computers, so how do you detect a rogue server or laptop with an active scan? A passive sensor might see rogues if they're chatting on the network; that's visibility a scanner won't give you. A passive sensor also will detect activity to and from a port that isn't usually scanned, and may detect nonstandard port usage, provided the sensor can decode and classify the traffic. For example, simple flow analysis won't detect SSH or telnet on Port 80, but protocol analysis may.

The second major advantage of passive analysis is that it's noninvasive--it doesn't interrupt network operations. Active vulnerability assessment scanners are invasive and can disrupt services, despite their developers' efforts to minimize the potential for outages. Even using so-called safe scans, we've taken out switches, our NTP service and a host of other critical infrastructure components. Several years ago, we even bounced our core router twice with an nmap port scan. Oops.

  • 1