RE: Online Scanning Services Vrs. Stand Alone Applications

From: oherrera (oherrera@Prodigy.Net.mx)
Date: Fri Feb 28 2003 - 18:22:00 EST


Indeed, online scanning might bee seen just as external
vulnerability scanning outsourcing, but there might be some
advantages to the outsourcing process (leaving alone
technical disadvantages).

The outsourcer might (in theory) be able to dedicate a team
of specialist to the follow-up process. After you do the
scan, and identify the vulnerabilities this team should
identify false positives, recommend alternative solutions
and keep track of the patching process.

Of course you could put a team of your own but for some
organizations it might be more cost-effective to outsource
the service rather than maintaining full time specialists.

If I remember correclty, FoundScan offered this
vulnerability management option with FoundScan (both online
and with appliances) or they give you the option to aquire
the tools and do the vulnerability management yourself.
Anyway, this is another story, this is what online scanners
and services are evolving into.

If you ask me if pure online scanning is worth the try I
would think the same as you: "it is just a matter of
deciding if you want to do the scanning yourself or not",
technically I don't see any advantage.

Omar Herrera

> All the answers so far seem to fall under the "treatise on
> the benefits of someone managing your scanning for you or
> not". Surely there's someone out there who's used these
> outside services and can provide a more detailed technical
> comparison of the scanners.
> Or am I missing the point here. So far it seems that there
> really is not a lot of technical difference -- it's all
> just a matter of who's running the scanners and from
> where. Bandwidth consumption is a configuration issue with
> all scanners coming from the outside, not an inherent
> disadvantage to online scanners. The same for agents.
>
> My only experience with the online scanners is with simple
> stuff like ShieldsUp, which, technically speaking, seem
> indistinguishable on the network from running the same
> attacks with a standalone application on the outside.
>
> +++
> ----------------------------------------------------------
> --- +++ Davi Ottenheimer, CISSP
> Synchron Networks, Inc. Chief Security Engineer
> www.synchronnetworks.com email:
> mailto:davi@synchronnetworks.com 100 Enterprise Way,
> C230 emergency: mailto:8315884778@vtext.com Scotts
> Valley, CA 95066
> > -----Original Message-----
> > From: Gene Yoo [mailto:gyoo@attbi.com]
> > Sent: Thursday, February 27, 2003 6:17 PM
> > To: Danny; 'pen-test@securityfocus.com'
> > Cc: 'Alfred Huger'
> > Subject: Re: Online Scanning Services Vrs. Stand Alone
> > Applications
> >
> > IMHO
> >
> > i have not heard about any comparison except bunch of
> > sales pitch. i do agree with danny that depending on
> > the size of your pipe, it's not only cost prohibitive
> > but also resource hog.
> > it's nice that someone outside could do that for you and
> > for you to open up ports for them to scan the internal
> > networks via vpn tunnel, and of course you're getting
> > an outside opinion, but tools like nessus, you could
> > setup a nessus client at various parts of your network
> > subnet or your vlans and have those remote agents send
> > back the findings to the nessus server (perhaps with
> > mysql backend for later correlation analysis).
> >
> > i say there is too many to choose from the menu, but
> > choosing the resturant would depend on your budget and
> > taste (or what you're used to, etc...).
> >
> > just my .02
> >
> > gene
> >
> > Danny wrote:
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > I've not seen a comparison, but in my opinion remote
> > > scanning is a waste of time and money for large
> > networks such as anything over a class C.
> > >
> > > Having someone do a full vulnerability scan remotely
> > over your entire
> > > IP space takes a lot of time and a lot of bandwidth,
> > if a company is on a T1 it could take several hours and
> > may impact the performance of their corporate link.
> > >
> > > Having said that, if someone was to come up with a
> > > semi remote scanning option for a managed service it
> > may be a little more feasible. By semi remote I mean
> > the scanning company has an agent on the local LAN
> > which handles the actual scanning and simply reports
> > > back to an offsite database for analysis.
> > > Currently we are using SecureScanNX from
> > > vigilante.com. This tool allow us to do full vuln
> > scans of our entire network, we have agents
> > > placed at various points of the network which handle
> > the scanning for
> > > their network segments and report back to a
> > > controlling terminal, doing this stops us from
> > > flooding our WAN/MAN links and keeps the scans times
> > > down relatively low.
> > > Cheers
> > > Danny
> > > Network Security Engineer
> > > Drexel University
> > > PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC
> > F4ED F1E0 PGP Key:
> > > http://akasha.irt.drexel.edu/danny.asc
> > >
> > >
> > > - -----Original Message-----
> > > From: Alfred Huger [mailto:ah@securityfocus.com]
> > > Sent: Wednesday, February 26, 2003 4:06 PM
> > > To: pen-test@securityfocus.com
> > > Subject: Online Scanning Services Vrs. Stand Alone
> > > Applications
> > >
> > >
> > > Hey all,
> > >
> > > I have a question, which is two fold. First can anyone
> > > point me to comparison articles of online scanners
> > > (such as Foundstone) vrs. standalone applications
> > > such as ISS? I am looking for technical comparisons
> > > not a treatise on the benefits of someone managing
> > > your scanning for you or not.
> > > The second part of the question is, are their any
> > technical advantages
> > > between the two setups? I understand this overlaps
> > > with the first question but I ask this after having
> > > searched for good writeups and came out with very
> > > little.
> > > - -al
> > >
> > >
> > > Alfred Huger
> > > Symantec Corp.
> > >
> > >
> > > -
> > >
> >
> ----------------------------------------------------------
> > ---- --------------
> > > <Pre>Do you know the base address of the Global Offset
> > Table (GOT) on a Solaris 8 box?
> > > CORE IMPACT does.</Pre>
> > > <A href="http://www.securityfocus.com/core">
> > http://www.securityfocus.com/core>
> > >
> > > -----BEGIN PGP
> > SIGNATURE-----
> > > Version: PGP 8.0
> > >
> > >
> iQA/AwUBPl0+/Gb1zPz07fHgEQKNMgCZAWiZsphU4AWefT4ZVXUl9oABhw
> > > 0AnjPA 8yiC4zH8B+tKwm6COkxg34Ed
> > > =Z1G+
> > > -----END PGP SIGNATURE-----
> > >
> > >
> >
> ----------------------------------------------------------
> > > ------------ ------
> > > <Pre>Do you know the base address of the Global Offset
> > Table (GOT) on a Solaris 8 box?
> > > CORE IMPACT does.</Pre>
> > > <A href="
http://www.securityfocus.com/core">
> > http://www.securityfocus.com/core>
> > >
> > >
> >
> >
> > --
> > <<gyoo [at]
> > attbi [dot] com>>
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.0 (GNU/Linux)
> >
> >
> iQCUAwUBPhxERRxoVYCzmrKXAQJK5gP3Y7CTsFyKpEz2p5W4GWI9+qSm+k
> > WfdJ0R
> xNlma0Ma9rAL/OBJcZMo5IXyXas+3Edogbv4Al6dIf8lot1WS0Iaxxl/cg
> > 2f7gf+
> otf7LfNpZDE/6OzR7A1qN6baPMLSjGzywwQWMfSVuWWb6kGQxMsA13Kn68
> > G7Ozxs 5CODZqUPyg==
> > =AolA
> > -----END PGP SIGNATURE-----
> >
> >
> >
> >
> ----------------------------------------------------------
> > ---- --------------
> > <Pre>Do you know the base address of the Global Offset
> > Table (GOT) on a Solaris 8 box? CORE IMPACT does.</Pre>
> > <A href="
http://www.securityfocus.com/core">
> http://www.securityfocus.com/core>
>
> ----------------------------------------------------------
> ------------------ <Pre>Do you know the base address of
> the Global Offset Table (GOT) on a Solaris 8 box? CORE
> IMPACT does.</Pre> <A
> href="
http://www.securityfocus.com/core">
> http://www.securityfocus.com/core>

----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="
http://www.securityfocus.com/core"> http://www.securityfocus.com/core>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:29 EDT