Sourcefire, Tenable seek vulnerabilities passively

What's on your network? Sourcefire's Realtime Network Awareness and Tenable's Passive Vulnerability Scanner attempt to answer that question without leaving muddy footprints all over the network. Both use a technique called passive network analysis to listen to traffic as it flows by, thereby discovering systems, topologies and vulnerabilities.

We tested RNA and PVS on a production network for more than a month. Overall, while both tools are fairly good at what they do, the tangible value for either product would be realized only in a big network. Security managers who need to monitor a large, dynamic network can probably gain significant value from these products, because they trim the number of intrusion-detection system (IDS) alerts that need to be investigated, and help detect system vulnerabilities. For smaller networks, the value proposition is not as strong, because other techniques, such as active scanning (see Active vs. passive scanning), give more accurate results in those networks.

Passive network-analysis tools are designed to pull information out of the network as the traffic flows by. Although the two tools we tested are similar in that they focus on network application inventory and vulnerability analysis, they have different design strategies.

With Tenable's PVS, the goal is to detect and report on system applications and vulnerabilities. Tenable is home to the popular Nessus active vulnerability-scanning freeware. PVS (originally called NeVO) is the passive complement to Nessus. The latter product works by performing active scans of systems using a wide variety of techniques ranging from pinging to logging into a system and looking at the file system and registry, but PVS does its detection without sending a single packet.

We tested PVS linked to Tenable's Security Center V3, a security-management tool used to integrate multiple vulnerability scanners - active, passive or a combination of both - and correlated vulnerability information with IDS and syslog data sent to Security Center by sensors and servers.

The goal of Sourcefire's RNA is to build host profiles for all the systems on the network and assist in prioritizing and analyzing IDS events. As home to the open source Snort IDS engine, Sourcefire has made a name for itself selling a commercial version of Snort along with Defense Center, which acts as a centralized management system and data analysis console for multiple IDS and RNA sensors. We tested it as part of a larger Sourcefire installation with an IDS sensor and Defense Center V4.5.1

These products will be of greatest use in larger networks with multiple subnets and 1,000 stations or more. For example, Tenable's PVS provides less information than an active vulnerability scanner. However, PVS carries none of the risks of system crashes or the political problems of active scanning - problems that are magnified in large networks. PVS is also arguably more effective than active scanning for large networks, because it detects changes in configuration and topology as they happen. RNA brings the same advantage to the ever-changing face of an enterprise network by providing a real-time network inventory function that directly supports the process of managing IDS alert information.

	Realtime Network Awareness v3.5.1 Sourcefire Company: Sourcefire. Cost: RNA license for 1,000 hosts, $24,000; Intrusion Sensor, $4,000; Defense Center 1000, $17,000. Pros: Helps to qualify intrusion-detection system alerts and sort out relevant from irrelevant; runs collocated with IDS sensor if desired; builds host profile and inventory data; great alerting and analysis tools. Con: Low accuracy on vulnerability information; Defense Center difficult to use. Passive Vulnerability Scanner v2.2.2 Tenable Network Security Company: Tenable Network Security. Cost: PVS license, $10,000; Security Center license for 1,000 IP addresses, $24,000. Pros: Detailed vulnerability-analysis information easy to see, search and use; PVS information can be used to qualify IDS and firewall logs. Cons: Security Center missing reporting and alerting functions for full vulnerability-management life cycle.

Click to see: NetResults: Sourcefire RNA and Tenable PVS