Network Passive Sensor Overview
Qualys Network Passive Sensor (NPS) helps you to detect automatically and profile devices connected to your network, eliminating blind spots across your IT environment and gaining visibility to all known and unknown assets in your network.
NPS monitors network activity without any active probing of the device in order to detect the active assets in your network. It also identifies key device attributes that help the PS Microservices on the Enterprise TruRisk™ Platform to fingerprint the device details to catalog into normalized operating system/hardware categories. NPS also monitors the traffic flow and reports it to the application, helping identify the amount of chatter between communicating endpoints.
Network Passive Sensor Benefits
- Monitors all network traffic and raises an alert for any asset-related activity that requires attention.
- Identifies and profiles devices the moment they connect to the network, including those difficult to scan, corporate-owned, brought by employees, and rogue IT. The asset metadata is sent immediately to the Qualys Enterprise TruRisk™ Platform for centralized analysis.
- Enriches existing asset inventory with additional details, such as recent open ports, traffic summary, network services and applications in use. Helping you gain a deeper understanding of an asset and its activity on the network in near-real time.
- Identifies assets that, for different reasons, cannot be actively scanned or monitored with agents. That's often the case with assets like industrial equipment, IoT, and medical devices.
- Aggregates and correlates the data gathered by all Qualys sensors - Qualys Passive Sensors, the Qualys network sensors and the Qualys Cloud Agent - giving you a comprehensive, detailed inventory of all your hardware and software, as well as a multi-dimensional view of your global, hybrid IT environment.
Network Passive Sensor Journey
The Network Passive Sensor is available as two appliances (sensors): Physical and Virtual. They are placed inside your network and ingest the mirror of the data flowing over the network. It extracts metadata from mirrored data fed to it and sends it to the Qualys Enterprise TruRisk™ Platform for analysis.
Assets discovered by passive sensors are reported to Qualys Global AssetView inventory, where you can find information about them. If an asset discovered by a Passive Sensor is already known by active scans or cloud agents, it is considered a managed asset, and the asset data is correlated and merged. If the asset is previously unknown, it is placed in the unmanaged list of assets.
The NPS journey outlines how the sensor detects, profiles, and reports on assets to deliver real-time asset intelligence without requiring active scanning or agents.
1. Sensor Deployment
The sensor can be installed as a physical or virtual appliance, depending on your environment. You can connect the sensor's ingestion interfaces to the traffic that should be tapped from the aggregation/choke point in the network. The traffic can be fed to the ingestion interface(s) via SPAN, RSPAN or ERSPAN. For more information, refer to Deploy Sensor.
2. Traffic Capture
After deployment, the sensor begins analyzing the ingested network traffic in real time. It continuously listens to packets flowing through the network and observes a wide range of IT and OT protocols, such as but not limited to ARP, DHCP, DNS, HTTP, and industrial protocols such as Modbus and DNP3.
| Ams (Beckoff) | Profinet DCE-RPC | PCCC |
| HTTP | LLDP | Omron FINS |
| SSL | Modbus | SLMP |
| TCP | S7comm plus | Ethercat |
| DNS | Netbios | CC-Link IE |
| SSH | CIP | MELSOFT |
| DHCP | SSDP | DeltaV |
| SNMP | WSD | Crimson |
| BACNET | DNP3 | CDP |
| EthernetIP | MQTT | Toyopuc |
| S7comm | IEC104 | MicrosoftDiscoveryProtocol |
| Profinet DCP | Kerberos | MetasysPrivateMessage |
| Telnet | SMTP | Proconos |
| Browser | OPC-UA | HoneywellCeentcomm |
| HoneywellControlEdgeBuilder | SIP | SRTP |
| HoneywellControlEdgeDiscovery | IEC61850-MMS | Opto |
| ARP | FOX | |
| ICMPv6 – Neighbour Discovery | PCWorx |
3. Asset Discovery
With traffic captured, the sensor identifies every device that transmits or receives data. NPS extracts critical details such as IP address, MAC address, Domain, Hostname from the ingested traffic.
4. Asset Analysis
Once devices are discovered, NPS performs deep analysis to determine the operating system and version, identify applications and services in use, and classify the asset type, such as workstation, server, router, IoT device, or industrial controller.
5. Continuous Monitoring
NPS continuously monitors the environment, detecting new assets as soon as they connect, tracking existing assets as they change IP addresses or services, and flagging unauthorized or unmanaged devices.
6. Asset Inventory
The asset information collected by NPS is securely transmitted to the Qualys Enterprise TruRisk™ Platform. Within the platform, the Qualys Global AssetView cloud app aggregates and correlates the data gathered by all Qualys sensors (Qualys NPS, the Qualys network scanners, and the Qualys Cloud Agent), giving you a comprehensive, detailed inventory of all your hardware and software, as well as a multi-dimensional view of your global, hybrid IT environment.
Sensor Deployment Options
Qualys Network Passive Sensor is available as a physical or virtual sensor.
- Virtual Sensor: VMware ESXi 7.0 or later and Microsoft Hyper-V 2016 or later
- Physical Sensor: 1Gbps, 4Gbps, and 10Gbps
- Industrial Sensor: 100 Mbps
For more information about network placement, sensor sizing, mirroring traffic, etc, refer to Get Started with Network Passive Sensor.
Related Topics
Get Started with Network Passive Sensor
Looking for something else?