4 Replies Latest reply on Sep 8, 2013 11:22 PM by rukmalf

    Difference Between Active and Passive Device Profiling

    rukmalf

      Hi,

       

      Can anyone tell me what it the difference betweent these 2? Can active device profiling provide addtional details compared to passive DP? if so what are they?

       

      Thanks in advance

      Regards,

      Rukmal Fernando

        • 1. Re: Difference Between Active and Passive Device Profiling

          The active device profiling is done from the NTBA appliance and uses an NMAP scan.  The passive device profiling is done by the sensor itself and uses things like sequence numbers and user agents to determine the OS type.

           

          The NTBA Appliance sends active host scan details to the Manager. The Manager will collaborate data

          from all sources and provide a comprehensive view of the hosts on the network. It also uses the data

          for alert relevancy.

           

          Here's a KB article that gives more details of the passive device profiling:

           

          http://kc.mcafee.com/agent/index?page=content&id=KB60746

          1 of 1 people found this helpful
          • 2. Re: Difference Between Active and Passive Device Profiling
            rukmalf

            Hi,

             

            Thank you for the answer. Since both scans are doing the same thing, is there some sort of difference between the accuracy or the amount of details the scan can find?

            I also have noticed that you can configure the active scans on the NTBA. i would also like to know the following.

            1. how do we know the scans run? i cannot see any option where we can manually run or schedule them.

            2. how can we view the scan results?

             

            Thanks in advance

            Regards

            Rukmal

            • 3. Re: Difference Between Active and Passive Device Profiling

              The passive device profiling is trying to make an educated guess at what the details on the target system are.  The active one is using NMAP which will have a much higher likelyhood of being correct.

               

              The schedule can be setup on the NTBA's active device profiling once the option is enabled.  The schedule is at the bottom of the same screen.

               

              The details can be seen on the cli with 'show fingerprinting stats'.  The manager will have context information for each host when the profiling is enabled under the 7.5 analyze tab as well as in the threat analyzer.

              • 4. Re: Difference Between Active and Passive Device Profiling
                rukmalf

                Hi,


                Do we have to integrate NMAP or does the NTBA already have it and uses it for the scan?

                 

                Regards,

                Rukmal