Sibling to World Wide Digital Security's SAINT, SARA is based on the original Security Administrator's Tool for Analyzing Networks (SATAN) security scanner. SARA has been updated to look for current vulnerabilities.
SARA uses an HTTP GUI via the local Web browser to configure, run and view scans. However, this method causes the GUI to be as navigable and flexible as a general Web site would be (that is, not very). Unlike SAINT, SARA includes a report writer, which lets you export the data into a portable format. And like SAINT, SARA also takes the general approach to identify general classes of vulnerabilities, which can be annoying if you need to know your system's exact vulnerabilities. SAINT and SARA appear to have a different set of vulnerability checks, however, as SARA found some things that SAINT did not.
SARA's poor showing in finding vulnerabilities, taken together with the product's weak GUI and reporting tools, makes this a less-than-compelling solution.
Found 10 out of 17 vulnerabilities -- Security Administrator's Research Assistant (SARA), www.www-arc.com/sara/.
World Wide Digital Security System Analyst Integrated Network Tool (SAINT)
SAINT is also a derivative of SATAN. Like SARA, SAINT doesn't alert the user to specific vulnerabilities but tends to lump multiple application vulnerabilities together (such as all the wu-ftpd vulnerabilities). This leaves the users to sort through and figure out which vulnerability applies to them and get the correct patch. We have mixed emotions about this. Although alerting on the general vulnerabilities is easier and still draws general attention to vulnerable services, an overworked administrator might find it frustrating to figure out exactly what to fix. At press time, SAINT didn't include a report-generation tool. However, a plug-in report generator, SAINT Writer, was in beta. Like SARA, SAINT presents a subpar overall package.
Found 9 out of 17 vulnerabilities -- System Analyst Integrated Network Tool (SAINT), World Wide Digital Security, (301) 656-0521; fax (301) 656-4806; www.wwdsi.com.
eEye Digital Security Retina
Retina is being billed as the revolutionary tool that "thinks like a hacker." With Retina's slick interface and out-of-the-ordinary toolset, we admit that eEye has brought a fresh perspective into the scanner arena. However, given that it discovered a paltry 6.5 out of 17 vulnerabilities, Retina's strengths are not as a vulnerability scanner but more as a hacking tool that can be used for vulnerability research.
The artificial intelligence toting all kinds of CHAM (Common Hacking Attack Methods), a leading feature of Retina, didn't help the product keep our network safe. In fact, Retina seemed more interested in boasting about all the wonderful information it could enumerate from the system, rather than simply looking for vulnerabilities.
For example, on the Windows NT side, we were looking for the scanner to alert us that anonymous NetBIOS logons were allowed. But instead of alerting us, Retina exploited the vulnerability and reported on the information found.
We suspect that security gurus might put one and one together and figure out what was vulnerable, but the less security-savvy administrators will probably prefer just being told what to patch.
On the interface front, Retina's GUI looks quite nice (at times the product practically goes out of its way to look cool) but takes some time to get used to. Vulnerability scanning is only one-fourth of Retina's functionality, and it is very easy to get lost in the GUI of the other three-fourths of the product.
Retina did seem to be able to handle the standard lot of SMTP relay misconfigurations, anonymous FTP servers and SMTP user enumeration. It could even tell us why running finger, Gopher and telnet wasn't such a good idea. We were a little worried when it identified the Linux host as a Windows NT machine, but the Samba/Linux combination seems to be a common trap that these products can't seem to get around. On the Windows NT system, Retina identified one IIS and one ColdFusion sample script--we would have liked to have seen those vulnerabilities better brought to light, so we gave Retina only partial credit on the find. Ironically, we discovered that Retina didn't deliver on the IIS vulnerabilities that eEye's own research team discovered. If eEye focused more on vulnerability scanning than the GUI and CHAM, Retina might be better equipped to match some of the other products.
Found 6.5 out of 17 vulnerabilities -- Retina, eEye Digital Security, (949) 349-9062, (866) 339-3732; fax (949) 349-9538; www.eeye.com.
Jeff Forristal is the lead security developer of Neohapsis in Chicago. Greg Shipley is the director of security services of Neohapsis. Send your comments on this article to Jeff at jforristal@ neohapsis.com and Greg at gshipley@neohapsis.com.
RSS
