A network security audit system may employ different types of network data gathering tools to gather information about the network. For example, one type of scanner may be capable of operating system fingerprinting, port mapping, and/or vulnerability assessment, while another scanner may be configured with other capabilities. Other types of information sources such as, for example, cameras, human input, and the like, may also be used to add to the information provided by the scanners.
A drawback to utilizing different types of network data gathering tools in a network security audit system is that disparate products often have different ways of representing information gathered about the network, and/or different ways of testing the information, although the tests and/or results may be semantically equivalent to one another. For example, one scanner may represent and test SNMP community strings, which are well known in the art, differently from another scanner. The first scanner may use a specific test number for testing SNMP community strings, and format its output in a simple delimited, plain text representation. The second scanner may use a different test number for performing the same test, and may represent its output data in an XML (Extensible Markup Language) representation with separable fields of tagged data. Both scanners may in turn represent and test SNMP community strings differently than a human who performs a manual inspection and enters facts gathered from the manual inspection.
The difference in testing and representing results that are semantically equivalent provides a challenge when creating policy rules. Designing a separate rule for each type of information gathering tool that may be used to account for its particular manner of representing and testing information about the network is inefficient and laborious.
Accordingly, there exists a need for a system and method for generating and applying network policies independently of the type of tools that may be used to gather information about the network. There also exists a need for a system and method for semantically normalizing the disparate information so as to allow a uniform application of the network policies.