Passive Network Analysis Advantages and Disadvantages

The passive analysis approach has several advantages:

• The analyzer does not interact with the network to discover hosts and their related vulnerabilities. Only the interface through which the user accesses the software to get reports is active.
• Little to no testing is required to be certain there is no negative impact on the network or hosts. Since the technology is completely passive, little verification is required. Even if the device physically fails, it is not placed inline where it would have to handle the bits on the wire.
• Sometimes, the device can be installed in tandem with an existing IDS. This greatly simplifies implementation without any changes to the network switch.
• The discovery process takes place continuously. New hosts are revealed as soon as they are connected to the network and begin communicating. In contrast to the active scanning and agents, vulnerabilities may not be known until the next scan cycle.
• Hidden hosts can be discovered that do not listen for active probing traffic on the network. Instead, these hosts only communicate by initiating conversation on the network, and can therefore only be detected passively.
• Since routing protocols and other network information are also visible to the traffic analyzer, it may also be able to map the topology of the network and use this information to create a picture of the attack surface of a more complex network. This type of information can also be obtained by authenticated active scans and by providing configuration data to specialized tools.

There are also some interesting disadvantages to this technology:

• The device typically must be installed on the switch that carries the traffic to be monitored. Remote monitoring of a network is often not practical over a busy WAN connection. This will limit the number of locations that can be scanned. If your organization requires monitoring on a broad geographic scale, this may not be the right technology.
• The mechanism that copies switch traffic to the physical device can cause additional CPU load on the switch. That additional load can lower the performance of routing, access control, or other CPU-intensive operations.
• There is limited visibility into vulnerabilities. Many of the vulnerabilities that can be detected with a host agent or active, authenticated network scan cannot be detected by analyzing network traffic.

Overall, passive analysis may not see as many vulnerabilities on systems but they function 24 hours a day and provide network topology information that would otherwise be unavailable. Changes to the environment on the network and hosts would be detected first using the passive analysis method if those vulnerabilities have a network footprint.

2 Detection Methods

Detecting vulnerabilities using passive analysis is completely dependent upon being able to dissect and interpret the communication content in all layers of the OSI Model.

3 Physical Layer

The physical network layer is generally not checked for any vulnerabilities by passive technology. Physical connections are terminated at the network interface adapter on the hardware platform on which the software is deployed. The silicon usually provides minimal information about the physical connection state.

4 Data Link Layer

This layer is only tested when the vulnerability scanner is connected to the network in a non-promiscuous mode. This means that the scanner will be able to interact with this layer of the network to acquire an IP address in a dynamic environment. The detection capability is generally limited to the switch to which the device is connected. Information can be gathered about other hosts connected to the switch, basic switch configuration items such as speed and duplex, as well as how the switch responds to variations in collision sensing and detection protocols such as CSMA/CD in the IEEE 802.3 specification. In general, a passive vulnerability analyzer will look for deviations from the IEEE standards.

5 Network Layer

The network layer is subject to substantial variation. IP addressing, flags, routing information, and option parameters can combine uniquely to identify a host and vulnerabilities. Suffice it to say at this point that there is an abundance of information to be obtained from the network layer in any network-connected vulnerability assessment technology.

6 Layers 4 Through 7

The remaining layers can provide large amounts of information about the targets under examination. The passive analyzer will dissect these layers and search for patterns of behavior in the interaction of systems, as well as the specific content of a single packet. It is a complex process with many methods of analysis, and is more akin to an IDS in design.