In: Root » Electronics and communication » Network security
The passive network analysis approach has several advantages: • The analyzer does not interact with the network to discover hosts and their related vulnerabilities. • Only the interface through which the user accesses the software to get reports is active. • Little to no testing is required to be certain there is no negative impact on the network or hosts. Since the technology is completely passive, little verification is required. Even if the device physically fails, it is not placed inline where it would have to handle the bits on the wire. • Sometimes, the device can be installed in tandem with an existing IDS. This greatly simplifies implementation without any changes to the network switch. • The discovery process takes place continuously. New hosts are revealed as soon as they are connected to the network and begin communicating. In contrast to the active scanning and agents, vulnerabilities may not be known until the next scan cycle. • Hidden hosts can be discovered that do not listen for active probing traffic on the network. Instead, these hosts only communicate by initiating conversation on the network, and can therefore only be detected passively. Since routing protocols and other network information are also visible to the traffic analyzer, it may also be able to map the topology of the network and use this information to create a picture of the attack surface of a more complex network. This type of information can also be obtained by authenticated active scans and by providing configuration data to specialized tools. There are also some interesting disadvantages to this technology: • The device typically must be installed on the switch that carries the traffic to be monitored. Remote monitoring of a network is often not practical over a busy WAN connection. This will limit the number of locations that can be scanned. If your organization requires monitoring on a broad geographic scale, this may not be the right technology. • The mechanism that copies switch traffic to the physical device can cause additional CPU load on the switch. That additional load can lower the performance of routing, access control, or other CPU-intensive operations. • There is limited visibility into vulnerabilities. Many of the vulnerabilities that can be detected with a host agent or active, authenticated network scan cannot be detected by analyzing network traffic. Overall, passive analysis may not see as many vulnerabilities on systems but they function 24 hours a day and provide network topology information that would otherwise be unavailable. Changes to the environment on the network and hosts would be detected first using the passive analysis method if those vulnerabilities have a network footprint.
|
|||||||||||||
Disclaimer
1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us or use the "Report this article" button on this page to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. |
|||||||||||||
