The difference between vulnerability scanners and configuration auditing software
By Keith Driver | Date published: 21 Jul 2020
What is a Configuration Audit?
Managed network devices (switches, routers and firewalls) are configured using network interfaces such a command line, or a web interface. The configuration is held by the device internally so that it is available after a power cycle.
The configuration information allows the device to perform a range of activities, such as routing network packets, turn on statistics, enable alarms and a variety of other functionality. Getting the configuration correct is not just important to ensure the device functions as desired, but also to ensure it functions securely.
The configuration of the device must be set according to policies of the organisation owning the network, or prescribed standards such as DISA STIG or CIS Benchmarks. The purpose of these policies and standards is to ensure the configuration is secure.
The Configuration Audit is therefore performed to determine if the device configuration adheres to the desired policy. To audit a device configuration, the configuration must be exported from the device and inspected. This activity is frequently performed as part of Penetration Test.
To simplify what is a time-consuming task, auditors use a variety of tools for carrying out the auditing of device configurations. However, the accuracy of the audit depends on the tool’s technical approach to the problem. Sometimes tools that are important for network security, but aren’t specifically designed for configuration auditing, are used. In these cases, vital information is at risk of being missed and false positives and or negatives may be reported.
What’s the difference between Configuration Auditing & Vulnerability Scanning?
A facsimile of configuration audit can be performed by externally scanning the device. In this case, a software application scans the device for open ports or misconfigured items. This scan is performed without reference to the device internal configuration and attempts to deduce the configuration.
Taking this approach delivers poor accuracy. Not every security issue can be detected this way. It also generates network traffic that looks a lot like an attacker trying to probe the device for weaknesses and vulnerabilities. Scanning software solutions, by their very nature, are looking at external data (attack results) rather than internal configuration information (the set of instructions a device is programmed to follow).
This quote from eSecurity Planet neatly explains this: “At the most basic level, vulnerability scanning aims to identify any systems that are subject to known vulnerabilities, while a penetration test aims to identify weaknesses in specific system configurations and organizational processes and practices that can be exploited to compromise security.”
Of course, there are also different levels of diligence in the approach taken by tools to configuration Audit. It is important to model the configuration and understand the interaction between the configuration settings in order to properly determine any security issues. Without the modelling the analysis will generate a number of false-positive findings wasting the time of the auditors. Not all tools take this approach.
Why do I need both in my network security toolbox?
Vulnerability scanners are an important technology when addressing Application layer vulnerabilities, particularly in Web applications, but when it comes to assuring network equipment with embedded configurations, scanning does not offer the same quality of outcome.
While it’s important to be aware of the differences between Configuration Auditing and Vulnerability Scanning tools and what each can do, both are important for network security. Vulnerability Scanning doesn’t take away the need for Configuration Auditing but used alone, Configuration Auditing cannot secure the entire network.
Both are important when it comes to assessing and maintaining cybersecurity and many of the accepted industry standards require both as mandatory. In addition, make sure that your network cybersecurity team is trained and understands the different capabilities of network security tools, to ensure any investment made is working as hard as possible to keep your organization secure.