October 2004

Vulnerability Scanners

Find your network's holes before hackers do
Vulnerability scanners can play a prominent role in managing your network's security. Modern scanners check target systems against a database of known vulnerabilities and report potential security holes. And although they don't actively prevent attacks, many scanners provide additional tools to help you fix found vulnerabilities.

Evaluation Criteria
Scanners are available for any network and any budget. I examined five vulnerability scanners, ranging from small, lightweight products to Microsoft SQL Server­based, feature-rich programs and from free, open-source programs to scanners that cost thousands of dollars. The products in this roundup include Sunbelt Software's Sunbelt Network Security Inspector (SNSI) 1.5, NetIQ Vulnerability Manager 5.0, GFI Software's GFI LANguard Network Security Scanner (N.S.S.) 5.0, eEye Digital Security's Retina Network Security Scanner 5.0, the open-source Nessus Project's Nessus (with client NessusWX 1.4.4), and the BindView RMS vulnerability-management solutions (the RMS Console 7.3, bv-Control for Windows 7.35, and bv-Control for Internet Security 7.25). Internet Security Systems plans on releasing a new version of its popular Internet Scanner, so it didn't submit a product for this review. I tested only standard software-based scanners; see the Web-exclusive sidebar "Subscription and Turnkey Solutions,", InstantDoc ID 43871, for information about other methods.

All the scanners I tested are network-based, meaning that you install and configure them from one console, then point them at target systems on your network. (The NetIQ scanner's agent-based approach was a slight exception to this rule, as I explain later. Some of the BindView products also include agents that can provide additional data.) I considered how easy a product was to install, configure, and use--and how adequate its Help files were--in my ratings. All the scanners support heterogeneous targets, but to help you choose the right scanner for your environment, Table 1 lists the primary platforms and programs that each product supports.

Each scanner maintains a database that categorizes and describes the vulnerabilities that it can detect. The most comprehensive databases also provide built-in remediation steps or links to more verbose external sources such as the BugTraq and Common Vulnerabilities and Exposures (CVE) lists. A solid scanning engine, coupled with a detailed database, can improve your ability to spot vulnerabilities and will produce few (if any) false positives. Most scanners require administrative access to interrogate target systems properly, but many scanners also let you conduct a scan by using null credentials so that you can discover what an anonymous attacker might glean from your network. I took into account which products provided built-in, comprehensive collections of vulnerability data as well as which scanners let you customize scans to meet specific needs.

Scanners generate a ton of data--a single scan can find 30 to 50 vulnerabilities on one computer. Multiply that by the number of computers in your domain and you'll understand why you'll want a scanner that can aggregate or filter data into meaningful reports. All the products in this round-up provide report generation and let you access historical reports from previous scans. Some products store data in .mdb files; others require SQL Server. If you're a SQL or XML pro, you might even be able to create your own report formats after you spend a little time studying a scanner's database schema.

Of course, identifying vulnerabilities is only half (or less) of the battle. Remediation takes time and effort. Most of the products I tested can tell you how to fix the problems they find, but the ones that go above and beyond can actually perform basic remediation steps (e.g., disabling vulnerable user accounts).

For a fairly lightweight tool, SNSI is a robust product. Installation was quick, and a wizard walked me through the process of setting up my network scan (and helped streamline the scanning process). The attractive UI belied a somewhat complicated method of scanning the target's registry and file system but was easy to use once I got used to it. Sunbelt Software licenses Harris's Security Threat Avoidance Technology (STAT) to power SNSI's scan engine, so if you're familiar with STAT, the SNSI recommendations will be even easier to understand. The Help system was concise and descriptive.

For my first scan, SNSI's wizard had me define a scan group that contained my target computers. I could choose from a list of domain-enumerated computers or define my target set from an IP address range. This ability to create customized scan groups can be useful when you want to scan computers according to their function (e.g., all your Web servers or database servers).

After I defined a scan group, I needed to choose a vulnerability group that defined the vulnerabilities to look for. I could choose from a set of predefined groups, such as SANS Top 20 Internet Security Vulnerabilities, that scan for a specific set of vulnerabilities. (This particular group uses the security-focused SysAdmin, Audit, Network, Security--SANS--Institute Web site's list of the top 20 major Windows and UNIX vulnerabilities.) You can customize the predefined groups by adding vulnerabilities from a database of more than 2300 vulnerabilities, which SNSI categorizes as High, Medium, Low, or Warning. You can also use SNSI to perform port scans that enumerate the running services associated with each port on the target system--a capability that can help you distinguish appropriate network services from potential malicious software (malware). Unfortunately, the product embeds its port-scan results within its vulnerabilities results, making the port information difficult to spot. SNSI also lists all shares for the target, as well as associated permissions for disks, printers, and admin shares.

After completing a scan, you can sort the results and view details of discovered vulnerabilities and corresponding third-party (e.g., BugTraq, CVE, SANS, Microsoft Knowledge Base) references, as Figure 1 shows. SNSI doesn't include hyperlinks to those references but does offer excellent, verbose instructions for dealing with the problems it finds. The product's Scan History node lets you easily access earlier scans, and you can view or print your results in one of 15 built-in Business Objects' Crystal Reports­based reports (although you can't customize them).

Reader Comments
I have got problem - unable to view Table 3 (GFI LANguard N.S.S summary)

Anonymous User January 27, 2005 (Article Rating: )

If you are using GFI LANguard Scanner, then you are stuck using the very program that causes most of the vulnerabilities in your workstations - Microsoft Internet Explorer...

Oxymoron anyone?

Anonymous User February 09, 2005

Nessus is _very_ easy to install and configure. It's by far the best best bang for the buck even if you factor in the time needed for a complete linux/unix newbie to get it running.

Anonymous User March 01, 2005 (Article Rating: )

Anonymous User March 11, 2005 (Article Rating: )

