Top Vulnerability Scanners
In an ideal world, technology-purchasing decisions would
be backed by proper requirement gathering, proper testing, and realistic
budgeting. However, I've grown to realize that people
rarely have the luxury of doing things the right way. It is for this very
reason that I've picked what I consider to be the top vulnerability
scanners on the market today, and listed them here. This is not to say that
the other products won't do a sufficient job—these are just my personal
favorites based on my field experiences and testing. I still encourage the
reader to perform some level of investigation when choosing a product to
adopt, but the list of products in the following sections should get you
started.
Axent NetRecon
Axent's NetRecon complements Axent's existing security product line of firewall
and intrusion detection suites. NetRecon's strengths lie in its interface,
strong reporting abilities, its moderately sized vulnerability database,
and its capability to perform what is often referred to as secondary
exploitation—using knowledge gained from one server to assess another. Although
it's rare that I've found this final feature useful, it is something not
seen in many other products.
NetRecon has traditionally not been as thorough as Nessus,
Cybercop Scanner, or ISS, but it is still a fairly comprehensive scanning
tool that can be quite useful. It can also report into Axent's Enterprise
Security Manager (ESM), which can be used for more general
risk assessment efforts.
Vendor: Axent/Symantec
Headquarters: Rockville, MA (USA)
Platform: Windows
Product: NetRecon
URL: http://www.axent.com
ISS Internet Scanner
ISS initially built its company on
Internet Scanner, and it has long been regarded as the de facto standard in
the industry for vulnerability scanning. Internet Scanner has a strong reporting
back-end, a comprehensive set of vulnerability checks, and a very usable
GUI. ISS has obviously spent as much time polishing the product as they
have on the back-end scanning engine itself. For example, the scanner
provides a significant amount of background data on each vulnerability
check.
Internet Scanner uses a Microsoft ODBC–based back-end to
store its scan data, which can be used later for doing long-term trending.
As in NetRecon's integration with ESM, Internet Scanner integrates with the
ISS Decisions product. Combined with scanner data, ISS Decisions can be
used in conjunction with other security products (firewalls, intrusion
detection systems, and so on) to paint a more global picture of
vulnerability and threat points.
Although Internet Scanner traditionally hasn't had as many problems with false positives as other
products, it does still lag behind on the update front. The other negative
point worth mentioning is the fact that in my experience Internet Scanner
appears to have become less stable in the 6.x series of releases. I've had
numerous problems with it crashing during large scans, and occasionally
I'll have to clear out its internal database and start again clean before
it will cooperate. It has always been recoverable, however.
It should be noted that ISS also makes two other scanning
products, System Scanner and Database Scanner, although both are
agent-based and incapable of scanning remote systems.
Vendor: Internet Security Systems, Inc.
Headquarters: Atlanta, GA (USA)
Platform: Windows NT Workstation version 4.0
Product: Internet Scanner
URL: http://www.iss.net
Network Associates Cybercop Scanner
Cybercop Scanner's roots come from
NAI's (Network Associates, Inc.) acquisition of SNI (Secure Networks, Inc.)
and their Ballista product. Although Cybercop Scanner has an impressive
number of vulnerability checks and moderate reporting abilities, it also
comes with a number of surprisingly useful tools. Two of the tools that are
of particular interest are CASL, and the SMB grinder. CASL enables the
GUI-based construction of IP packets, whereas the SMB grinder is similar to the password cracking capabilities of
L0phtCrack.
Cybercop's primary downsides revolve around it lacking
some fundamentally important vul nerability checks, and its bizarre
licensing scheme. NAI usually tries to sell Cybercop on a pernode basis, as
opposed to a per-number-of-servers-scanned basis. This can create some
horrendously high pricing schemes, depending on the alignment of the stars
and the salesperson's current commission plan.
Vendor: Network Associate, Inc.
Headquarters: Santa Clara, CA (USA)
Platform: Windows NT and UNIX
Product: Cybercop Scanner
URL: http://www.nai.com
The Open Source Nessus Project
Nessus was written by Renaud Deraison, an open source author living in Paris, France. Renaud
discovered Linux at age 16 and has been hacking it ever since. In 1996,
Renaud began attending 2600 meetings and subsequently developed a strong
interest in security. This spawned a partnership between Renaud and two
other programmers, and together they wrote their first auditing tool in
1997. After tackling that project, Renaud conceived Nessus in early 1998.
Nessus is quickly becoming the Linux
of the vulnerability-scanning field. Driven by the open source movement,
Nessus wasn't much to speak of a few years ago but is now gaining ground
on—and sometimes surpassing—its commercial counterparts. Nessus employs an
extensible plug-in model that enables the security community to add
scanning modules at will. This gives Nessus a development edge because any
check that it does not have can be created by anyone with some time and
coding abilities on their hands.
Nessus uses a console-engine model, in which the console
might or might not reside on the same computer as the scanning engine. This
distributed architecture allows for some interesting flexibility, as you
don't need to be anywhere close to the scanning engine in order to control
it.
At the time of this writing, Nessus had more than 500
vulnerability checks, some of which still aren't available in the
commercial scanning tools. Depending on how the development efforts
continue to progress, Nessus could surpass commercial scanners in overall thoroughness in the coming year.
Vendor: NONE (open source)
Headquarters: NONE (Released out of France, however)
Platform: UNIX (Windows console available)
Product: Nessus
URL: http://www.nessus.org
Whisker
Whisker was written by a hacker by the name
of "rain forest puppy" (rfp), who has carved out a niche for
himself in regards to discovering Web-based vulnerabilities. Whisker doesn't fit the general definition of a vulnerability
scanner as it is specifically focussed on scanning for known vulnerable CGI
scripts. In fact, the only things it looks
for are vulnerable CGI scripts. However, its list of CGI checks is more
comprehensive than all the commercial scanners combined. Because of this, I highly recommend you use Whisker in addition to a mainstream scanner.
Vendor: NONE (open source—rfp labs)
Headquarters: Chicago, IL (USA)
Platform: Windows and UNIX
Product: Whisker
URL: http://www.wiretrip.net/rfp/
|
In January 2001, Neohapsis labs
released a fairly comprehensive analysis of these tools for Network
Computing magazine. Based on the given requirements, Nessus and ISS
Internet Security Scanner came out on top of the