Re: Cisco CTR

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 11/17/03

  • Next message: Ron Gula: "Re: Cisco CTR"
    Date: Mon, 17 Nov 2003 15:03:32 -0500
    To: Ron Gula <rgula@tenablesecurity.com>
    
    

    Hi Ron,

    Actually, RNA went out the door this morning after a year of
    development and another 2 years of research and planning as an early
    availability release and it will be GA in a couple weeks. From what I
    can see, RNA and Nevo have different missions, Nevo is being billed as
    a passive vulnerability "scanner" whereas RNA is being billed as a
    passive network discovery system. We have multi-mode passive OS
    fingerprinting, topology discovery, active service identification, flow
    monitoring, real-time change analysis and passive vulnerability
    inference mechanisms built-in to RNA. The version of Nevo that I saw a
    couple months ago was doing OS fingerprinting in support of passive
    vulnerability analysis, I'm unfamiliar/unaware of how it has evolved
    since then.

    I don't know what you mean by "looking for unique vulnerabilities",
    we're doing vulnerability inference by looking at platform and
    application data and inferring classes of vulnerabilities that can be
    available. This capability is primarily there to support dynamic
    prioritization of IDS events and to gauge potential impact of attacks
    that we see on the network. We're planning on leveraging the
    information in the future for a variety of purposes, but RNA's focus is
    much broader than providing vulnerability analysis solely.

    We've also wrapped RNA with a variety of supporting management and
    analysis technology. We've got a full web-based management and
    analysis GUI built-in to the appliances that incorporates a common look
    and feel with our new version 3.0 ISM (IDS) product line, we can manage
    multiple RNA sensors from the Sourcefire Management Console and provide
    data aggregation and topology analysis from a central point, we've got
    a 3D visualization GUI for data analysis, administration tools for
    system maintenance, etc etc.

          -Marty

    On Nov 17, 2003, at 10:52 AM, Ron Gula wrote:

    >
    > I know RNA has not officially shipped yet, but from the web site,
    > it looks very similar to NeVO. It does similar OS fingerprinting,
    > traffic profiling, security vulnerabilities and so on.
    >
    > The question I've not been able to get a good answer for is if
    > RNA looks for unique vulnerabilities, or if it using the operating
    > systems or application fingerprint to determine which vulnerabilities
    > are active.
    >
    > Ron Gula
    > Tenable Network Security
    >
    >
    > At 09:41 PM 11/13/2003 -0500, Martin Roesch wrote:
    >> Vendor Alert: I work for Sourcefire.
    >>
    >> RNA is not a passive vulnerability scanner, vulnerability analysis is
    >> only a subset of what it can accomplish. I've taken to calling RNA a
    >> passive network discovery system (PNDS) since that's a more accurate
    >> description of what it does.
    >>
    >> BTW, the demo that Joe saw was from a beta of RNA that we were running
    >> in-house, production versions should only be set to discover your
    >> internal network so you don't accidentally start mapping other
    >> people's
    >> networks with it. We had our internal sensors tuned that way for
    >> testing of preproduction units only, we don't condone mapping other
    >> people's networks with RNA.
    >>
    >> -Marty

    -- 
    Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
    Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
    roesch@sourcefire.com - http://www.sourcefire.com
    Snort: Open Source Network IDS - http://www.snort.org
    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
    and use priority code SF4.
    ---------------------------------------------------------------------------
    

  • Next message: Ron Gula: "Re: Cisco CTR"

    Relevant Pages

    • Re: Cisco CTR
      ... RNA is not a passive vulnerability scanner, ... internal network so you don't accidentally start mapping other people's ...
      (Focus-IDS)
    • Re: Cisco CTR
      ... RNA may have worked as it was programmed in this case, ... and I had someone from security telling me I was still vulnerable. ... BTW, there is no passive-vuln list, but from the email I've ... when in fact there would be no vulnerability there. ...
      (Focus-IDS)
    • Re: Cisco CTR
      ... Just curious on how NeVO compares to Intrusec Expose ?? ... >RNA may have worked as it was programmed in this case, ... >and I had someone from security telling me I was still vulnerable. ... but the vulnerability and patch level reported for IIS ...
      (Focus-IDS)
    • Re: Cisco CTR
      ... RNA looks for unique vulnerabilities, or if it using the operating ... Tenable Network Security ...
      (Focus-IDS)
    • Re: SourceFire RNA
      ... how many people are plugging into your network that don't ... that needs careful attention and perhaps a vulnerability scan? ... RNA IS NOT A VULNERABILITY SCANNER! ...
      (Focus-IDS)