Problem solve Get help with specific problems with your technologies, process and projects.

Trend to ponder: Passive vulnerability assessment

Jim Reavis examines the pros and cons of passive vulnerability assessment.

Passive vulnerability assessment is a fairly new concept, and it will be interesting to see if it takes hold. The idea behind passive vulnerability assessment is that rather than providing proactive probing of networks by generating test traffic, you are inferring the vulnerabilities by sniffing the normal network traffic. So while a traditional network scanner will send a "fingerprint" packet to identify a Web server operating system, passive vulnerability assessment finds the same information in the course of reading normal packets flowing between Web users and the Web server. What are the advantages to passive vulnerability assessment?

Non-intrusive. Network scanning is a necessary function, but can sometimes be downright scary. Testing for flaws can sometimes create unintended consequences, and any experienced pen tester can tell you war stories about locking up a host system or router while doing an assessment. With passive vulnerability assessment you do not add anything visible to a production network and do not have the associated liability.

No service window. Because you are not physically affecting the network, you have much more flexibility in scheduling tests and can run them virtually at all times.

Living VA. It is one thing to be aware of vulnerabilities on your network, it is another thing to put that knowledge in the context of how your network operates and how the traffic flows. Two hosts that look identical on a traditional VA report will look markedly different from the perspective of passive VA if one host receives 1,000 times the traffic of the other. The extra knowledge can only help in making the remediation decisions.

Does passive vulnerability assessment have disadvantages? One huge problem, it is not as accurate as traditional VA, nor can it ever be. It is simply impossible to count on production traffic uncovering all of the potential vulnerabilities lying dormant on a network. A fast moving worm like SQL Slammer, for example, exploited desktop SQL Servers that no one was aware of and that would not have showed up in a passive VA report. Attacks by definition are anomalous events and you may not be able to infer enough of your weaknesses by looking at normal network traffic.

My view is that passive vulnerability assessment and traditional active vulnerability assessment complement each other and will ultimately need to be provided as an integrated solution. VA companies should develop this capability or develop strategic alliances to integrate this functionality into their offerings. Security professionals should be wary of companies that try to position these two approaches against each other and try to make the case that only one or the other is needed. In the long run, the most accurate vulnerability assessment will give you a complete picture of all the network-attached devices and how that network operates as a living entity.

About the author
Jim Reavis is the editor of CSOinformer, a monthly research newsletter focused on emerging information security trends and a service of Reavis Consulting Group. An industry leader in information security research, Reavis Consulting Group provides research and analysis services to solution providers, investor groups and end users.

Also by Jim Reavis…
This was last published in December 2003

Dig Deeper on Risk assessments, metrics and frameworks