1. Field of the Invention
The present invention relates generally to network security and, more particularly, to analyzing a network for vulnerabilities.
2. Background of the Invention
A network vulnerability may be used by an illegal user to gain or deny access to an unauthorized system. To detect (and remedy) such vulnerabilities, a vulnerability analysis typically is conducted either by manual inspection or by a network scanner. Although both methods are slow, manual inspection is particularly slow. Conventional network scanners (herein called “active scanners”) operate by interrogating a network. The active scanner sends packets or communicates in some manner with the systems it is auditing. Accordingly, the active scanner is bound by the physical limitations of the networks and system it is auditing to send and receive these packets. Because of these physical limitations, scanning can take a long time.
FIG. 1 is a schematic diagram of a conventional active scanning system. System 100 includes multiple routers 130, hosts or network devices 120 and a single active scanner 110. In the network of system 100, scanner 110, which is placed in one network subnet, must perform a considerable amount of work. Active scanner 110 sends packets across several routers 130 and scans for various potential hosts 120 which may or may not be active. If any of routers 120 is performing firewall screening, the scan's results will be non-comprehensive, because the scan will be unable to scan behind the firewall.
In addition, active scanners suffer other shortcomings. First, an active scan's results become stale over time. Even if someone can launch an active scan once a day, there still may be new hosts added or removed during that day. Most organizations only scan once a week or month, and the results of their active scan become less valuable over time as network changes occur.
Further, an active scan may inadvertently disrupt a system it is testing. For example, the act of probing in some rare cases may cause instability in the audited system. Network devices such as routers and switches may also be affected by the large number of port scans, host enumeration and vulnerability testing. Even if there is no disruption, it will cause a firewall or tested server to generate many log files.
Finally, in addition to the technical limits of active scanners, active scanners also may have a political stigma within large organizations. For example, a system administrator may feel that there is no need for a third party to scan his systems.
Thus, there is a need for improved methods of quickly and continuously scanning a network for vulnerabilities.