Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

R E V I E W

VA Scanners Pinpoint Your Weak Spots

June 26, 2003
By Kevin Novak

	Issue TOC
	Print full article
	Print this page
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Wants & Needs
	Foundstone Enterprise and FoundScan Engine 2.6
	Qualys QualysGuard Intranet Scanner
	Harris Corp. STAT Scanner Professional Edition 5
	eEye Digital Security Retina Network Security Scanner
	Vigilante.com SecureScan NX 2.6.50
	SAINT 4.3
	nCircle Network Security IP360 Vulnerability Management System 5.3
	Other Products Reviewed
	How We Tested
	Web Links
	Report Card

A critical component in the vulnerability-management process is identifying areas of potential risk. Although risks exist in many forms, few would argue that application and OS vulnerabilities represent some of the largest exposure points in computing environments. Network-based vulnerability-assessment scanners play a critical role in the identification process by enabling their operators to spot security deficiencies before the bad guys do.

We know that throwing tools at security problems won't make them disappear, but a mixture of know-how and well-designed technology can make the difference between working 40 and 80 hours a week. Better network-based VA tools equal lower risk equals more sleep.

We invited Beyond Security, BindView Corp., eEye Digital Security, eSecurityOnline, Foundstone, Harris Corp., Internet Security Systems, nCircle, NetIQ, Network Associates, Qualys, Rapid7, SAINT Corp., Symantec, Tenable, The Advanced Research Corp. and Vigilante.com to participate in our tests of VA scanners. ISS and Symantec declined, citing pending revisions; and eSecurityOnline, NetIQ, Network Associates and Advanced Research did not respond at all.

We placed the remaining 11 scanners in the middle of one of the most insecure networks we could create (see "How We Tested Vulnerability Scanners," page 52) and evaluated each on its ability to accurately identify critical vulnerabilities, clearly and concisely report on those vulnerabilities, and perform these tasks in an efficient and noncrippling manner. Since experience has taught us that managing these tools in large organizations can be a bear, interface design and control features also factored into our grades.

Vendors at a Glance

click to enlarge

We found that, though the VA market holds promise, these products still need time to mature. For example, every system we tested suffered from one problem or another: Foundstone's FoundScan, Qualys' QualysGuard and eEye's Retina had the best management and reporting features but came up short on vulnerability detection. Vigilante.com's SecureScan, SAINT and Tenable's Nessus all reported a much higher percentage of vulnerabilities but were weak on management and reporting. No product identified an acceptable percentage of vulnerabilities, though eEye's Retina and QualysGuard came close. And network administrators beware: We found these scanners far from nonintrusive. All caused adverse reactions on our network servers. The products from Qualys and Vigilante.com were by far the biggest offenders--each crashed at least five servers during our tests. The three systems that took the most abuse: Novell NetWare running Web services; a version of SuSE Linux Groupware running an exploitable version of Lotus Notes; and Windows NT 4.0 running Exchange and IIS.

Still, though no VA scanner tested was what we'd consider fully mature, we can't envision living without one. Foundstone's FoundScan is our Editor's Choice because of its detailed reporting, thorough coverage and scalable design, but only by a small margin. Retina from eEye was a close second, and we were intrigued by some of the features found in products from nCircle and Harris.