I was very excited to read Joel Snyder's review of Sourcefire's RNA and our Passive Vulnerability Scanner (PVS). (The article requires registration). He makes a lot of very good points about the accuracy of passive network analysis and does a very good job of contrasting the Sourcefire 3D system for managing IDS events and our Security Center for managing security. There are some points I would like readers to take away from the article though:
- During the evaluation, our PVS mis-identified an anti-spam appliance as having several client-side vulnerabilities. We had an error in the logic of some of our PVS signatures and have fixed it. This single fix would have drastically lowered the number of issues dealing with false positives during the evaluation.
- There are major design differences between RNA and PVS. To quote the article, "If Tenable uses an "innocent until proven guilty" approach to marking vulnerabilities, Sourcefire considers every system "guilty until proven innocent." Basically, as soon as RNA guesses your OS, it attaches any potential vulnerability it knows about it. I think this approach is great for IDS event correlation, but for vulnerability management, it is too broad. At Tenable, the same team that writes the Nessus host based and scanning checks writes the PVS checks. Our Security Center does do IDS/vulnerability correlation with many NIDS including Snort, but since we're more application focused, there are less correlations.
- I wished the article went into more of the benefits of doing continuous and passive analysis as a compliment to active scanning. Joel gives the impression that these tools are only good for large networks. Tenable has many customers putting the PVS in places that A) can't be scanned that often or B) simply can't be scanned. For more information, I highly recommend our papers "Security Event Management" and "Correlating IDS Alerts with Vulnerability Information" available in the White Papers section of our web site.
- Lastly, the article didn't evaluate our Log Correlation Engine product. This would have allowed the evaluators to search all Snort logs for the duration of the evaluation, as well as add in logs from our passive network monitor. The combination of knowing the sort of information that PVS can discover along with having a record of all of your firewall, network sessions, user logs, .etc is very compelling.
If you haven't seen a product like RNA or PVS before, please feel free to take a look at the demonstration video we have here.
As you might expect, I would really like to see more evaluations like this. Tenable has been offering our PVS solution for several years now. We have many different enterprise customers that run our vulnerability detection solutions in credentialed, scanning and passive modes. The more sophisticated customers use different combinations of these technologies across their enterprise as dictated by political and technical network limitations. I think articles like this, although good for Tenable, can also get network users out there to consider other sorts of tools to perform network discovery.