Upcoming Events

Executive conference

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up
Security
R E V I E W  
VA Scanners Pinpoint Your Weak Spots

  June 26, 2003
  By Kevin Novak


TOC Issue TOC
Printer Print full article
Printer Print this page
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author
 
  In this article
arrow
Introduction
arrow
Wants & Needs
arrow
Foundstone Enterprise and FoundScan Engine 2.6
arrow
Qualys QualysGuard Intranet Scanner
arrow
Harris Corp. STAT Scanner Professional Edition 5
arrow
eEye Digital Security Retina Network Security Scanner
arrow
Vigilante.com SecureScan NX 2.6.50
arrow
SAINT 4.3
arrow
nCircle Network Security IP360 Vulnerability Management System 5.3
arrow
Other Products Reviewed
arrow
How We Tested
arrow
Web Links
arrow
Report Card

A critical component in the vulnerability-management process is identifying areas of potential risk. Although risks exist in many forms, few would argue that application and OS vulnerabilities represent some of the largest exposure points in computing environments. Network-based vulnerability-assessment scanners play a critical role in the identification process by enabling their operators to spot security deficiencies before the bad guys do.

We know that throwing tools at security problems won't make them disappear, but a mixture of know-how and well-designed technology can make the difference between working 40 and 80 hours a week. Better network-based VA tools equal lower risk equals more sleep.

We invited Beyond Security, BindView Corp., eEye Digital Security, eSecurityOnline, Foundstone, Harris Corp., Internet Security Systems, nCircle, NetIQ, Network Associates, Qualys, Rapid7, SAINT Corp., Symantec, Tenable, The Advanced Research Corp. and Vigilante.com to participate in our tests of VA scanners. ISS and Symantec declined, citing pending revisions; and eSecurityOnline, NetIQ, Network Associates and Advanced Research did not respond at all.

We placed the remaining 11 scanners in the middle of one of the most insecure networks we could create (see "How We Tested Vulnerability Scanners," page 52) and evaluated each on its ability to accurately identify critical vulnerabilities, clearly and concisely report on those vulnerabilities, and perform these tasks in an efficient and noncrippling manner. Since experience has taught us that managing these tools in large organizations can be a bear, interface design and control features also factored into our grades.




Vendors at a Glance

click to enlarge

We found that, though the VA market holds promise, these products still need time to mature. For example, every system we tested suffered from one problem or another: Foundstone's FoundScan, Qualys' QualysGuard and eEye's Retina had the best management and reporting features but came up short on vulnerability detection. Vigilante.com's SecureScan, SAINT and Tenable's Nessus all reported a much higher percentage of vulnerabilities but were weak on management and reporting. No product identified an acceptable percentage of vulnerabilities, though eEye's Retina and QualysGuard came close. And network administrators beware: We found these scanners far from nonintrusive. All caused adverse reactions on our network servers. The products from Qualys and Vigilante.com were by far the biggest offenders--each crashed at least five servers during our tests. The three systems that took the most abuse: Novell NetWare running Web services; a version of SuSE Linux Groupware running an exploitable version of Lotus Notes; and Windows NT 4.0 running Exchange and IIS.

Still, though no VA scanner tested was what we'd consider fully mature, we can't envision living without one. Foundstone's FoundScan is our Editor's Choice because of its detailed reporting, thorough coverage and scalable design, but only by a small margin. Retina from eEye was a close second, and we were intrigued by some of the features found in products from nCircle and Harris.


start top Introduction Wants & Needs 

Best of the Web

Data deduplication: Declawing the clones

Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.

Quick Read

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Quick Read

WAN Optimization Whitelists and Blacklists

Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.

Quick Read

WAN Optimization as a Managed Service: It's Not About the Cost

This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.

Quick Read

  Sponsored Links

Premium Content

Data Centers Gone Wild
February 22, 2010

NWC


Salary

Video