A critical component in the vulnerability-management process is identifying areas of potential risk. Although risks exist in many forms, few would argue that application and OS vulnerabilities represent some of the largest exposure points in computing environments. Network-based vulnerability-assessment scanners play a critical role in the identification process by enabling their operators to spot security deficiencies before the bad guys do.
We know that throwing tools at security problems won't make them disappear, but a mixture of know-how and well-designed technology can make the difference between working 40 and 80 hours a week. Better network-based VA tools equal lower risk equals more sleep.
We invited Beyond Security, BindView Corp., eEye Digital Security, eSecurityOnline, Foundstone, Harris Corp., Internet Security Systems, nCircle, NetIQ, Network Associates, Qualys, Rapid7, SAINT Corp., Symantec, Tenable, The Advanced Research Corp. and Vigilante.com to participate in our tests of VA scanners. ISS and Symantec declined, citing pending revisions; and eSecurityOnline, NetIQ, Network Associates and Advanced Research did not respond at all.
We placed the remaining 11 scanners in the middle of one of the most insecure networks we could create (see "How We Tested Vulnerability Scanners," page 52) and evaluated each on its ability to accurately identify critical vulnerabilities, clearly and concisely report on those vulnerabilities, and perform these tasks in an efficient and noncrippling manner. Since experience has taught us that managing these tools in large organizations can be a bear, interface design and control features also factored into our grades.
We found that, though the VA market holds promise, these products still need time to mature. For example, every system we tested suffered from one problem or another: Foundstone's FoundScan, Qualys' QualysGuard and eEye's Retina had the best management and reporting features but came up short on vulnerability detection. Vigilante.com's SecureScan, SAINT and Tenable's Nessus all reported a much higher percentage of vulnerabilities but were weak on management and reporting. No product identified an acceptable percentage of vulnerabilities, though eEye's Retina and QualysGuard came close. And network administrators beware: We found these scanners far from nonintrusive. All caused adverse reactions on our network servers. The products from Qualys and Vigilante.com were by far the biggest offenders--each crashed at least five servers during our tests. The three systems that took the most abuse: Novell NetWare running Web services; a version of SuSE Linux Groupware running an exploitable version of Lotus Notes; and Windows NT 4.0 running Exchange and IIS.
Still, though no VA scanner tested was what we'd consider fully mature, we can't envision living without one. Foundstone's FoundScan is our Editor's Choice because of its detailed reporting, thorough coverage and scalable design, but only by a small margin. Retina from eEye was a close second, and we were intrigued by some of the features found in products from nCircle and Harris.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
