Passive Network Analysis Advantages and Disadvantages

The passive analysis approach has several advantages:

• The analyzer does not interact with the network to discover hosts and their related vulnerabilities. Only the interface through which the user accesses the software to get reports is active.
• Little to no testing is required to be certain there is no negative impact on the network or hosts. Since the technology is completely passive, little verification is required. Even if the device physically fails, it is not placed inline where it would have to handle the bits on the wire.
• Sometimes, the device can be installed in tandem with an existing IDS. This greatly simplifies implementation without any changes to the network switch.
• The discovery process takes place continuously. New hosts are revealed as soon as they are connected to the network and begin communicating. In contrast to the active scanning and agents, vulnerabilities may not be known until the next scan cycle.
• Hidden hosts can be discovered that do not listen for active probing traffic on the network. Instead, these hosts only communicate by initiating conversation on the network, and can therefore only be detected passively.
• Since routing protocols and other network information are also visible to the traffic analyzer, it may also be able to map the topology of the network and use this information to create a picture of the attack surface of a more complex network. This type of information can also be obtained by authenticated active scans and by providing configuration data to specialized tools.

There are also some interesting disadvantages to this technology:

• The device typically must be installed on the switch that carries the traffic to be monitored. Remote monitoring of a network is often not practical over a busy WAN connection. This will limit the number of locations that can be scanned. If your organization requires monitoring on a broad geographic scale, this may not be the right technology.
• The mechanism that copies switch traffic to the physical device can cause additional CPU load on the switch. That additional load can lower the performance of routing, access control, or other CPU-intensive operations.
• There is limited visibility into vulnerabilities. Many of the vulnerabilities that can be detected with a host agent or active, authenticated network scan cannot be detected by analyzing network traffic.

Overall, passive analysis may not see as many vulnerabilities on systems but they function 24 hours a day and provide network topology information that would otherwise be unavailable. Changes to the environment on the network and hosts would be detected first using the passive analysis method if those vulnerabilities have a network footprint.

2 Detection Methods

Detecting vulnerabilities using passive analysis is completely dependent upon being able to dissect and interpret the communication content in all layers of the OSI Model.

3 Physical Layer

The physical network layer is generally not checked for any vulnerabilities by passive technology. Physical connections are terminated at the network interface adapter on the hardware platform on which the software is deployed. The silicon usually provides minimal information about the physical connection state.

4 Data Link Layer

This layer is only tested when the vulnerability scanner is connected to the network in a non-promiscuous mode. This means that the scanner will be able to interact with this layer of the network to acquire an IP address in a dynamic environment. The detection capability is generally limited to the switch to which the device is connected. Information can be gathered about other hosts connected to the switch, basic switch configuration items such as speed and duplex, as well as how the switch responds to variations in collision sensing and detection protocols such as CSMA/CD in the IEEE 802.3 specification. In general, a passive vulnerability analyzer will look for deviations from the IEEE standards.

5 Network Layer

The network layer is subject to substantial variation. IP addressing, flags, routing information, and option parameters can combine uniquely to identify a host and vulnerabilities. Suffice it to say at this point that there is an abundance of information to be obtained from the network layer in any network-connected vulnerability assessment technology.

6 Layers 4 Through 7

The remaining layers can provide large amounts of information about the targets under examination. The passive analyzer will dissect these layers and search for patterns of behavior in the interaction of systems, as well as the specific content of a single packet. It is a complex process with many methods of analysis, and is more akin to an IDS in design.

Active Scanning Technology Advantages and Disadvantages

Active scanning involves using software that can generate packets on the network to actively engage the targets in order to detect their presence and vulnerabilities. It is a more complex but highly scalable approach that is the most popular today. The scanner is connected to the network just as any other host. The position of the scanner relative to the targets is critical in getting the best results. We will talk more about this later.

Active scanning essentially emulates the behavior of hackers to discover targets, with one critical difference. Hackers use tools and techniques designed to conceal their activities, whereas legitimate active scanning tools do not. Scanners also can perform some of the exploits to determine susceptibility. The degree to which these exploits are performed depends on options selected in the scan configuration. Most products avoid using exploits that might have adverse effects on the target without specific selection by the administrator in the scan configuration. Furthermore, it should be understood that most commercial tools are designed to detect vulnerabilities, not exploit them. Although they can be used as part of a penetration test, there are other, more appropriate tools to complete such a task.

Advantages and Disadvantages

Some key advantages of active scanning:

• Highly scalable because scanning takes place from a central location or distributed locations of the security architect’s choice and does not require software installation on the targets.
• The technology can provide a hacker’s view of the network and targets, so the vulnerability manager can have a realistic view of their risks in the production environment.
• Potential to support any networked device, that is, not limited to a compatible platform for an agent.
• Can provide incremental information regardless of platform support (e.g., open ports, identified protocols/applications, banners) even when the VM system has not previously seen the device.

Disadvantages:

• If the target is not connected to the network, it will not be scanned. Agents can detect a vulnerability when it occurs and report the results the next time the host is connected to the network.
• A potential exists for impact on the network infrastructure since all scanning is so performed. However, some basic planning will prevent such adverse effects.
• Scanning is slower over slow network connections. This is typical in small offices with weak links. Today, we see this frequently in South America, Africa, and some parts of Asia.