This paper examines the distinctions between threat management (TM) and vulnerability management (VM) as two foundational approaches to network security. Drawing on studies in TCP/IP networking, authentication systems, and software-based defenses, the paper explains how threat management operates at the gateway level using multilayered security protocols, while vulnerability management focuses on scanning, identifying, and remediating weaknesses across a network's hardware and software stack. The paper compares the two approaches across key attributes β including scalability, GUI administration, and detection accuracy β and argues that because modern hackers exploit all seven OSI layers using blended and specialized attack methods, a hybrid application of both systems is necessary for comprehensive network defense.
Studies have examined the possibility of implementing an all-encompassing technology capable of managing several layers of the OSI networking model. However, this implementation has considerably lost influence because single-headed approaches are defeated by the evolving nature of attacks. The 2600 Hacker Quarterly currently presents users with dozens of attack methodologies, and hacking has become too complex for any single solution to address. This paper differentiates threat management from vulnerability management and addresses the importance of each in implementing a hybrid network management strategy. Specifically, it examines a hybrid approach operating at the operating system and gateway levels, and clarifies that a hybridized security posture is responsive to the full range of attacks across all OSI networking layers.
The research is grounded in the following studies. Nikolaidis (2003) inspired this study through his analysis of the TCP/IP networking model and its relevance in establishing a security perimeter. Wu (2013) and Wenqiang (2010) assess authentication approaches and identify weaknesses in certain network authentication systems. Gandotra (2013), seconded by Andre (2008) and Hsu et al. (2012), clarifies the various software roles and their impact on network defenses. Sterling (2006) provides a technical perspective on DMZ server placement and its effects on the first through third layers of the OSI model in the broader debate between threat management and vulnerability management.
In modern IT security, the desire to provide comprehensive services is paramount. The chief reason is that potential clients of a given technology often lack foundational knowledge of network security approaches. Wenqiang (2010, p. 104) argues that traditional signature scanning proved unable to keep pace with virus attacks that were reaching epidemic levels. Threat management (TM) technology was therefore developed to ensure that a wide variety of gateway and desktop solutions could be applied in concert. The evolution of TM technology was driven by the emergence of blended attacks, which basic antivirus software could not adequately mitigate. In response, it became necessary to incorporate user-level mitigation techniques spanning file transfer systems, web traffic, and email.
Threat management is a network-based security approach that focuses on the primary network gateway as a defense mechanism for an organization. It is capable of performing multiple network defense protocols, including gateway antivirus, network intrusion prevention, gateway anti-spam, VPN content filtering, data-leak prevention, and load balancing. Sterling (2006, p. 13) argues that TM technology uses a multilayered approach to incorporate several security technologies simultaneously. A TM system can be configured so that security features are quickly updated to meet evolving threats. Wu et al. (2013) builds on this in what he terms a triple-A approach to network and system management: authentication, authorization, and accounting.
Authentication seeks to verify that an identity claim is authentic and valid. In most network attacks, establishing the identity of the attacker is a critical challenge. When this approach is properly applied, however, the technology can identify the source of attacks and direct a response accordingly. Gandotra (2012, p. 290) further argues that the technology can be configured through a Graphical User Interface (GUI), making administration accessible to junior-level managers. As part of user management, the system is designed to be simple and streamlined in order to facilitate troubleshooting and reduce total cost of ownership (TCO). The technology also reduces technical training requirements by consolidating defenses into a single comprehensive product. It is administered through a unified software interface.
Despite these advantages, TM does not address single-point compromise if the underlying network is itself vulnerable. The technology is also limited by single-bandwidth orientation, which can prevent it from satisfying the full demands of a given network. Gandotra (2012, p. 491) notes that TM is capable of mitigating fraud, pharming attacks, and phishing attacks, and can detect, analyze, and remediate attacks that cause productivity loss and system downtime. Eaton (2001, p. 184) adds that TM can provide a standalone solution, though such solutions are complex to manage, requiring separate maintenance processes and patch management strategies that must be updated with every software release. Nonetheless, TM provides its own operating system, enabling centralized management with monitoring and reporting capabilities. When evaluating TM against other technologies, particular attention should be given to whether an alternative solution can monitor behavior related to connections on unusual ports.
Vulnerability management focuses on a continuous cycle of identifying, classifying, remediating, and mitigating potential vulnerabilities. These vulnerabilities may be introduced through software or firmware installed on a given system. A vulnerability management device utilizes both hardware and software tools to scan previously identified open ports, insecure software configurations, and susceptibility to malware. A vulnerability scanner can also be applied in the detection of zero-day attacks (Gandotra, 2012).
In the IT industry, vulnerability attacks are sometimes treated as simple issues β mere software patches for known problems. In reality, however, the scope of platforms and applications introduces a wide range of weaknesses, and prevention is the only reliable remedy. Most organizations contend with networks running a large number of diverse products. Hsu et al. (2012, p. 1439) acknowledge that many organizations fail to implement IT defenses all the way to the network edge. As a result, patches often appear irrelevant to implement: the organization may be unaware of available releases, or may lack the knowledge to implement them correctly.
Vulnerability management addresses this by providing file-patching technology that uses vulnerability scanners capable of detecting vulnerabilities from the network side with reasonable accuracy and from the host side with optimal accuracy. However, Andre (2008, p. 4) notes that the volume of data generated by these systems presents a key challenge. Many organizations maintain large databases, and a scan-then-fix approach introduces significant complexity. It is also important to acknowledge that many vulnerability management approaches fail to provide adequate network visibility into critical systems.
To develop a sound vulnerability management process, Ariba et al. (2006, p. 256) suggest the following steps in alignment with overall mitigation plans. First, the IT department should develop a hardening policy that defines device configuration states, resource access controls, and user identity protocols. Second, IT personnel must maintain awareness of known vulnerability attacks. Third, they should prioritize mitigation activities and incorporate external threat intelligence, including asset classification and security posture assessments. Fourth, the team should extend environmental defenses β using network or desktop tools β prior to eliminating identified vulnerabilities. Fifth, the administrator should eliminate vulnerabilities at their root, which is considered the most legitimate approach. Sixth, the environment should be continuously monitored for policy deviations in order to identify new vulnerabilities, particularly those that may affect the DMZ zone.
Vulnerability attacks are typically approached in three phases: discovery, reconnaissance, and white-box testing. During discovery, the system identifies all hosts on a given network based on process, version, type, and passive observation. The system applies creative end-use protocols to conduct a close analysis of application behavior. Once a host is identified, the white-box phase pings it and gathers additional information, which is stored on a secure server. One complexity with this approach concerns its use of ICMP echo requests to identify a host and its origin. During the mitigation phase, most scanners technically manipulate the TCP/IP process so that the system can override standard networking protocols (Ariba, 2006, p. 259). The technology seeks to examine the entire system by deploying a packet-sniffing process that identifies common ports within a network design. To accomplish this, TCP SYN packets are sent simultaneously to multiple ports, with the intent of determining whether a host is present or absent. The scanner then determines whether each port is open or closed based on the response received.
Regarding the merits and limitations of this approach: vulnerability management is highly scalable, with scanning conducted from a centralized location that distributes activity across different segments of the network architecture. The technology provides administrators with visibility into networked devices regardless of platform. Additionally, the technology gives administrators a realistic view of the production risk environment, and provides incremental information enabling assessment of all resources β since ports and protocols are configured according to administrator requirements.
However, the system also presents notable challenges. Nikolaidis (2003, p. 6) argues that the technology lacks proper validation, since basic systems will naturally attempt to prevent adverse scanning effects. Network infrastructure may also fail to respond reliably, causing scanning speeds to fall below expected levels. Furthermore, if proper scanning is not conducted, agents may detect scanning activity as an attack on the vulnerability backbone, leaving the host unable to generate effective countermeasures against a real vulnerability attack.
"Key contrasts and overlaps between TM and VM"
"Argument for hybrid deployment across all OSI layers"
Hacking is a sophisticated discipline that seeks to override the fundamental systems of a network. This analysis has examined the inherent dangers of relying on a single security approach and demonstrated that hackers bring a wide variety of attack methods to bear. For instance, this paper has not addressed physical server room intrusion, which represents a further attack vector beyond the scope of software or network-based defenses. In that light, organizations should consider adopting multiple complementary technologies β for example, automatic data backup, data destruction protocols, and systems capable of launching automated counter-responses through purpose-built tools. In summary, the hybrid application of threat management and vulnerability management provides a substantially more responsive security perimeter than either approach could achieve independently, and represents the appropriate direction for contemporary network defense strategy.
You’re 60% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.