From: Igor Filippov (igor@osc.edu)
Date: Thu Apr 22 2004 - 09:57:53 EDT
I'd like to add my two cents to the discussion - so far it's been
quite interesting to find out about other folks experience with different
scanners/assesment tools. Please note that I don't claim to be a security
professional, nor do I mean to offend any of the software authors - you
guys are doing a wonderful job, all of you, just sometimes maybe not
exactly what an average system administrator like myself is looking for..
On the same note if I didn't find some of the functionality I was looking
for that probably speaks more about my lack of imagination rather than
any particular attempt on the author's part to hide it. Ok, disclaimer
aside here are my personal experiences:
Sara (many things also apply to Nessus):
Good:
- It's free
- It runs on Linux
- It doesn't require admin privileges on the remote hosts, nor
any access rights at all
- Scans many different platforms, not just windows
Not So Good:
- It's not obvious how up to date it's database of exploits is,
nor how to update it. For example, I haven't seen any indication
that it checks for enabled DCOM on windows hosts (it was last
fall).
- It's quite slow - can take a good portion of a day to do
a C-class domain
- It's rather garrulous - whatever daylight time's left of the
workday after the scan you'll probably spend reading through the output.
- It does seem to give a lot of false alarms
MBSA (most apply also to HFNetChk):
Good:
- It's free
- It's up to date (or at least as up to date as the vendor in
question is :) ); and it's also visible when it's trying to
update its database.
- It's reasonably fast and the output is mostly "get-to-the-point"
style which I like.
Not so good:
- It requires admin privileges on remote hosts and there's no way
to supply them - you have to be the same guy on local and remote
hosts
- It seems to check mostly whether or not patches have been
installed, which is not quite the same as whether on not
the host is vulnerable
- There doesn't seem to be an easy way to remotely install
necessary patches
- There seem to be quite a few false (or not-so-urgent) alarms -
i.e. getting a red flag on user's IE zone configuration when the
user in question is long disabled.
Languard:
Good:
- It's fairly cheap (cheaper than any of the non-free scanners)
- Vulnerability database is up-to-date and it's possible to
force an update download.
- It's reasonably fast and the output is not very lengthy
- While it requires admin access to remote hosts it's possible
to supply it with credentials, so that you don't have to log
in locally on the same account
- Provides a way to install patches on remote hosts (disabled
in evaluation version, so I couldn't check this one)
Not so good:
- Seems to check more for the presence of patches, rather than
vulnerabilities.
- Navigating through output can sometimes be puzzling (in
evaluation version at least) and it might take some learning
to get all the "right-click here, then left-click there"
combinations and what the error messages mean - e.g.
in my case, when evaluation version didn't want to deploy
patches it complained "no hosts selected" even when
all of them were selected, took me a while to realise that
it's their way of saying "only full version can do that".
Retina:
Good:
- It doesn't require remote admin access
- It's fast
- It checks for vulnerabilities not patches installed
- eEye seems to be very much on top of things at least as far
as windows systems are concerned and vulnerability database
is probably as up-to-date as it gets.
Not so good:
- Evaluation version scans only one ip at a time, and as such is
useless. I have a lot of praise for their RPC DCOM and Messenger
free scanners
- It's not free, and while it's not as expensive as some, I wish
they had more different licensing options as it might be hard
for a non-profit organization to come up with a few $K for a
security scanner that the bosses don't realise they need at all
anyway.
- Doesn't seem to be a way to deploy patches (in evaluation/free
versions).
TenableNewt: The install failed. It might have something to do with
the fact that I tried to install it on a terminal server. Maybe I'll
try again later. Maybe.
Netskowt: To get an evaluation version first you have to register
on their website, then they sent you an email with the download link,
then you install the product and find out that you still have to apply
for evaluation license. (It doesn't work at all in the form it's
downloaded). I got a reply for my request for evaluation license this
morning - I need to supply the ip address of the host where the scanner is
going to be installed. A reasonable request, but why they didn't tell you
that to begin with ? All-in-all if I knew it's going to be such a
bureaucratic drag, I probably wouldn't have bothered.
I would love to hear what other people might add/change/challenge
to that list.
Best regards,
Igor
On Wed, 21 Apr 2004, Gibson, Eric wrote:
> We just finished a long comparative evaluation of Eeye, Foundstone,
> Tenable, Nessus and ISS. After much consideration we concluded that
> Foundstone fit our needs best, while still using Nessus for bulk scans.
> We used to use ISS but switched because the product has not kept up with
> others. Nessus is still a great scanner, and you cannot beat the price.
>
> I am surprised that FoundStone has not come up in the recommendations so
> far.
>
> Eric Gibson
>
> -----Original Message-----
> From: Peter Wood [mailto:peterw@firstbase.co.uk]
> Sent: Tuesday, April 20, 2004 7:00 AM
> To: pen-test@securityfocus.com
> Subject: [BULK] - RE: MBSA scanner
>
> We have also moved our allegience to eEye Retina from ISS. It works very
>
> well and is the best commercial scanner we've used. We also use Core
> Impact
> for real exploits, which is a great tool IMHO.
>
> Pete
>
> At 15:58 19/04/2004 -0500, Steve Goldsby \(ICS\) wrote:
> >We've moved all our business from ISS Scanner to Retina.
> >
> >Nessus is still the favorite for cost effictive, high coverage
> scanning,
> >but for a commercial product that seems to gain favor with enterprise
> >clients, eEye is the way to go.
> >
> >
> >Steve Goldsby
> >www.networkarmor.com
> >
> >
> >-----Original Message-----
> >From: Nick Duda [mailto:nduda@VistaPrint.com]
> >Sent: Monday, April 19, 2004 1:30 PM
> >To: e247net; pen-test@securityfocus.com
> >Subject: RE: MBSA scanner
> >
> >eEye Retina is great. Quick on the updates also.
> >
> >- Nick
> >
> >-----Original Message-----
> >From: e247net [mailto:e247net@hotmail.com]
> >Sent: Saturday, April 17, 2004 4:34 AM
> >To: pen-test@securityfocus.com
> >Subject: MBSA scanner
> >
> >Hi all
> >
> >Microsoft baseline scanner cannot work since all the default shares
> are
> >disable.
> >Isn't this be the case for a secure LAN ? Anyway, plse suggest any
> >alternatives open source tools for conducting vulnerability test in a
> >LAN typical windows machines.
> >Thanks
> >
> >I have on hand now using nessus, but would like to have another tool.
> >
> >Best Regards,
> >
> ------------------------------------------------------------------------
> --------------------------------------------------------
>
> Peter Wood FBCS CITP MIMIS MIEEE
> Chief of Operations
> First Base Technologies
> +44 (0)1273 454525
> www.fbtechies.co.uk
> www.white-hats.co.uk
>
>
> ------------------------------------------------------------------------
> ------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off
> any course! All of our class sizes are guaranteed to be 10 students or
> less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
> -------
>
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:52 EDT