At 04:05 AM 9/23/2005, Olaf Gellert wrote:
Ron Gula wrote:
> Continuous scanning will help you find some things, but won't find:
>
> - new client software
> - hosts protected by personal firewalls
> - off-port services (you want to do continuous scanning for all 65k ports?)
Well, you are thinking of scanning as a network
related process (a la NMAP), I guess. But there
a many other possibilities of scanning: Scanning
your local logfiles (eg host based sensors),
scanning your local filesystem, scanning your local
installation database for new software. This way you
may get much more (and very accurate) information
than by actively scanning the network (or by
analyzing the traffic).
Sure this is not as easily deployed as a single
network sensor, but it can very well be worth
the effort.
Yes, much agreed. Many of the talks I've given recently usually
start off with a slide saying "there are more ways to detect
vulnerabilities than with network scanners". Every technique
has a pro and con and I also like to point out some sort of
political or management cost.
With how well this relates to IDS/VA correlation, all of these
processes need to be fairly centralized and real time.
Ron Gula, CTO
Tenable Network Security
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
