Conventional network security devices such as Intrusion Detection Systems (IDS), firewalls, and security scanners operate independently of one another, with virtually no knowledge of the network assets being defended. This lack of information results in numerous ambiguities when interpreting alerts and making decisions on adequate responses. Passive and active network discovery and persistent monitoring are useful to both network managers and security analysts, especially in a dynamic network environment. Automated network information gathering techniques can provide significant contextual information regarding the components to be protected.

The Network Security Research Group at the Communication Research Centre (CRC) has developed a Passive Network Monitoring Tool (PNMT) and an Active Network Monitoring Tool (ANMT) for passive and active network auto-discovery. Techniques used in these tools include the capability to discover active nodes, operating systems, the node’s role in the network, system uptime, the services offered, the protocols supported, IP network interface configuration and the network topology at different levels of specification (physical, logical). The prototypes provide this information to network managers and security analysts via a custom graphical user interface. By combining a number of different information acquisition techniques and information sources, the tools are able to construct a comprehensive and trustworthy picture of the network. PNMT and ANMT can be used together to allow near real-time awareness of the security posture of ever-changing networks. This approach can help network administrators exercise control and better anticipate upcoming security events.

Further details can be found here

With the rapid deployment of wireless LANs and new network technologies, such as IPv6, the active/passive tools must be readied for use in these environments. Future work may involve adapting the tools to support these technologies.

A significant factor affecting active and passive monitoring is the cost associated with deploying sensors in large network environments. For passive monitoring in particular, it is important to place sensors at the appropriate locations, as it is not always possible to funnel network traffic through a few specific points in the network. For this reason, another desirable follow-up would be to implement the tools on low cost (in hundreds of dollars) small devices that could be deployed as sensors in remote locations.