Top Vulnerability Scanners
In an ideal world, technology-purchasing decisions would be backed by proper requirement gathering, proper testing, and realistic budgeting. However, I've grown to realize that people rarely have the luxury of doing things the right way. It is for this very reason that I've picked what I consider to be the top vulnerability scanners on the market today, and listed them here. This is not to say that the other products won't do a sufficient job these are just my personal favorites based on my field experiences and testing. I still encourage the reader to perform some level of investigation when choosing a product to adopt, but the list of products in the following sections should get you started.
Axent's NetRecon complements Axent's existing security product line of firewall and intrusion detection suites. NetRecon's strengths lie in its interface, strong reporting abilities, its moderately sized vulnerability database, and its capability to perform what is often referred to as secondary exploitation using knowledge gained from one server to assess another. Although it's rare that I've found this final feature useful, it is something not seen in many other products.
NetRecon has traditionally not been as thorough as Nessus, Cybercop Scanner, or ISS, but it is still a fairly comprehensive scanning tool that can be quite useful. It can also report into Axent's Enterprise Security Manager (ESM), which can be used for more general risk assessment efforts.
Headquarters: Rockville, MA (USA)
ISS Internet Scanner
ISS initially built its company on Internet Scanner, and it has long been regarded as the de facto standard in the industry for vulnerability scanning. Internet Scanner has a strong reporting back-end, a comprehensive set of vulnerability checks, and a very usable GUI. ISS has obviously spent as much time polishing the product as they have on the back-end scanning engine itself. For example, the scanner provides a significant amount of background data on each vulnerability check.
Internet Scanner uses a Microsoft ODBC based back-end to store its scan data, which can be used later for doing long-term trending. As in NetRecon's integration with ESM, Internet Scanner integrates with the ISS Decisions product. Combined with scanner data, ISS Decisions can be used in conjunction with other security products (firewalls, intrusion detection systems, and so on) to paint a more global picture of vulnerability and threat points.
Although Internet Scanner traditionally hasn't had as many problems with false positives as other products, it does still lag behind on the update front. The other negative point worth mentioning is the fact that in my experience Internet Scanner appears to have become less stable in the 6.x series of releases. I've had numerous problems with it crashing during large scans, and occasionally I'll have to clear out its internal database and start again clean before it will cooperate. It has always been recoverable, however.
It should be noted that ISS also makes two other scanning products, System Scanner and Database Scanner, although both are agent-based and incapable of scanning remote systems.
Vendor: Internet Security Systems, Inc.
Headquarters: Atlanta, GA (USA)
Platform: Windows NT Workstation version 4.0
Product: Internet Scanner
Network Associates Cybercop Scanner
Cybercop Scanner's roots come from NAI's (Network Associates, Inc.) acquisition of SNI (Secure Networks, Inc.) and their Ballista product. Although Cybercop Scanner has an impressive number of vulnerability checks and moderate reporting abilities, it also comes with a number of surprisingly useful tools. Two of the tools that are of particular interest are CASL, and the SMB grinder. CASL enables the GUI-based construction of IP packets, whereas the SMB grinder is similar to the password cracking capabilities of L0phtCrack.
Cybercop's primary downsides revolve around it lacking some fundamentally important vul nerability checks, and its bizarre licensing scheme. NAI usually tries to sell Cybercop on a pernode basis, as opposed to a per-number-of-servers-scanned basis. This can create some horrendously high pricing schemes, depending on the alignment of the stars and the salesperson's current commission plan.
Vendor: Network Associate, Inc.
Headquarters: Santa Clara, CA (USA)
Platform: Windows NT and UNIX
Product: Cybercop Scanner
The Open Source Nessus Project
Nessus was written by Renaud Deraison, an open source author living in Paris, France. Renaud discovered Linux at age 16 and has been hacking it ever since. In 1996, Renaud began attending 2600 meetings and subsequently developed a strong interest in security. This spawned a partnership between Renaud and two other programmers, and together they wrote their first auditing tool in 1997. After tackling that project, Renaud conceived Nessus in early 1998.
Nessus is quickly becoming the Linux of the vulnerability-scanning field. Driven by the open source movement, Nessus wasn't much to speak of a few years ago but is now gaining ground on and sometimes surpassing its commercial counterparts. Nessus employs an extensible plug-in model that enables the security community to add scanning modules at will. This gives Nessus a development edge because any check that it does not have can be created by anyone with some time and coding abilities on their hands.
Nessus uses a console-engine model, in which the console might or might not reside on the same computer as the scanning engine. This distributed architecture allows for some interesting flexibility, as you don't need to be anywhere close to the scanning engine in order to control it.
At the time of this writing, Nessus had more than 500 vulnerability checks, some of which still aren't available in the commercial scanning tools. Depending on how the development efforts continue to progress, Nessus could surpass commercial scanners in overall thoroughness in the coming year.
Vendor: NONE (open source)
Headquarters: NONE (Released out of France, however)
Platform: UNIX (Windows console available)
Whisker was written by a hacker by the name of "rain forest puppy" (rfp), who has carved out a niche for himself in regards to discovering Web-based vulnerabilities. Whisker doesn't fit the general definition of a vulnerability scanner as it is specifically focussed on scanning for known vulnerable CGI scripts. In fact, the only things it looks for are vulnerable CGI scripts. However, its list of CGI checks is more comprehensive than all the commercial scanners combined. Because of this, I highly recommend you use Whisker in addition to a mainstream scanner.
Vendor: NONE (open source rfp labs)
Headquarters: Chicago, IL (USA)
Platform: Windows and UNIX