Network Computingwww.networkcomputing.com

Internet Scanner a variety of checks and a detailed reporting engine. Internet Scanner was the most comprehensive security auditing package we tested, rivaled only by Secure Networks' Ballista. Nevertheless, like the other products, it has its share of shortcomings, including some missed holes and a slower, nonautomated updating procedure.

We tested Internet Scanner on an Intel Corp.-based Windows NT system. (It is also available on AIX, HP-UX, Linux and Solaris.) After installation was completed, we were prompted to choose one of three scanning "policies"--light, medium or, as we selected, heavy. Once we designated our IP range, the scanner began its initial sweep using ping. After Internet Scanner plotted a list of hosts, we began the hard-core probing process.

Internet Scanner was the only product we tested that recognized an old NetWare WebServer 2.5 bug. (Using a poorly written CGI program, remote users could dump just about any file on the system. This bug was frequently used to pull the AUTOEXEC.NCF file, which often contains the RCONSOLE password.) Although Internet Scanner didn't correctly nail the problem, it drew attention to the issue with a more generic "./../" warning, which is also an Internet Information Server (IIS) hole.

Internet Scanner's overall depth impressed us. During testing, it flagged several machines using predictable port sequencing, and it located some missing links on one of our Web servers.

Like Ballista, Internet Scanner conducts multiple scans simultaneously and greatly contributes to overall efficiency. On our test network, the initial process ran quite smoothly, and the scan of approximately 20 hosts was completed in less than 15 minutes. It wasn't until later rounds of testing that we ran into problems. While scanning our third network, one of our scanning sessions appeared to be "hung" on an NT machine. Noting that all other hosts had completed their testing, we eagerly viewed the report while Internet Scanner completed its work on the NT unit.

We paused the scan, hoping we could examine the holes Internet Scanner had discovered on the other machines. No such luck. We then attempted to stop the scan (after waiting 10 to 15 minutes on the single host), which shut down the entire application and lost all the discovered data.

A less crippling but equally annoying problem was Internet Scanner's inability to properly address subnetting. Our initial license covered a full RFC1918-based Class A range, 10.0.0.0/8. However, when we tried to get Internet Scanner to scan both 10.100.0.0/16 and 10.10.0.0/16, we were informed that they were outside our key range. When we configured Internet Scanner to look at the first range, the second range or the entire Class A (a scary thought in itself) individually, it worked fine.

Internet Scanner's noteworthy reporting mechanism makes up for some of its more trivial shortcomings. With its predefined templates, you can generate everything from management-level summaries illustrated with colorful graphs to detailed outlines of individual holes and recommended solutions. We especially liked the detail in the "technical report." While trying to fix NT's problem of acquiring account names remotely, we were provided with precise instructions concerning the necessary registry modifications, as well as pointers to MS Knowledge Base articles for further reference. Unfortunately, the "sort by IP address" capability functioned improperly when running reports. This was another trivial bug, but it left us wondering if ISS has adopted the same version-numbering strategy that Microsoft Corp. uses. ISS' update schedule--only a few times per year--also falls short.