Retina
Retina harnesses the ease of a small, nimble scanner and teams it with a comprehensive vulnerability database and high-performance scan engine to provide a top-notch scanner that excels at its primary mission to seek out and identify key system vulnerabilities. Retina includes several cross-platform auditing modules.
Retina's well-designed UI, which Figure 4 shows, makes setting up and managing scans a snap. When you begin the process of setting up a scan (called an audit), you can have the product discover computers on your network. This optional task uses Internet Control Message Protocol (ICMP), TCP, or UDP discovery methods to find systems on your network, then provides general information (e.g., name, OS, DNS name, media access control--MAC--address) about those systems. You can then add the computers to address groups, on which you can base the audit.
You begin an Audit by defining a new scan job. Retina lets you target computers according to IP address, name, or address group. Retina port-scans the targets as a part of the overall audit; you can specify a port group (e.g., all ports, common ports, HTTP ports) that you want Retina to use or you can create your own port group. Audit groups list the vulnerabilities that Retina will look for. Like many of the other products I've described, Retina includes an audit group to detect the SANS Top 20 vulnerabilities. Plus, Retina includes a full set of documented APIs so that you can create custom audits.
Retina's maker, eEye Digital Security, is a security lab that discovers and publishes many vulnerabilities, to the scanner's benefit. You can configure Retina to download updates from the vendor each time you run the program. Retina classifies vulnerabilities as High, Medium, Low, or Info and categorizes detected vulnerabilities into groups (e.g., Accounts, DoS, Wireless). During a scan, subtle use of icons and colors draw your attention to especially vulnerable machines or suspect ports.
After a scan has finished, you can switch to the program's Remediate view to see the results in-depth. Retina lets you select and group the results by vulnerability or machine name and lets you sort the results according to IP address, name, or risk. You can view a remediation report, which is formatted so that you can print it and use it as a remediation checklist from within Retina, or you can export it in HTML or Word format. The report includes detailed information, including solutions and links to vendor updates (e.g., Microsoft security updates, BugTraq ID number, CVE number). Retina also includes a variety of predefined reports, such as Scan Summary, Vulnerabilities, and Network Shares. Many of these reports use graphics and provide a clear and concise summary of previous scans. Unfortunately, the reports don't offer drilldown capabilities, so you have to alternate views or reports when you want to access more detailed information. Retina can stand alone as a scanner but can also fit into the vendor's larger Retina Enterprise Suite, which includes REM Security Management Console and Retina Remediation Manager, to provide a complete threat identification, assessment, and remediation package.
See associated table
Nessus
Nessus is a popular open-source scanner for Windows and UNIX. The price is right--free--but as with most open-source software, Nessus isn't for the faint of heart: You'll need UNIX knowledge to install and configure it. That said, the product provides a huge database of vulnerability checks, called plugins, as well as author and community support. However, as an open-source program, Nessus offers no company or paid technical support to help you out of a bind. The community or freelance Nessus consultants are your only avenues for support. Also, be aware that Nessus uses intrusive scanning methods (the Web-exclusive sidebar "Intrusive vs. Nonintrusive Scanning," http://www.windowsitpro.com, InstantDoc ID 43872, explains the difference between intrusive and nonintrusive methods), so be wary when scanning production systems.
Nessus consists of software that you install on a UNIX (or Linux, or FreeBSD) back-end server, and a UNIX or Windows front-end client. For my tests, I used the product's Windows client, NessusWX 1.4.4, which I needed to download separately from the main scanner (http://nessuswx.nessus.org). Because the main scanner program isn't a Windows program and isn't natively Windows-aware, you might find yourself having to tinker with its credentials to leverage its Windows-based scans. However, both the main Nessus site and the NessusWX site contain excellent installation documentation. The Nessus Web site manages more than 2100 plugins that cover most platforms. Nessus categorizes the plugins into families (e.g., Common Gateway Interface--CGI--abuses, firewalls, ftp, port scanners).
The first step in conducting a scan is to create a new session, in which you define the scan targets and options. Specify a host name, IP address, or import a list of targets from a text file. Nessus harnesses the popular free Network Mapper (Nmap) port scanner and provides additional port-scanning options--for example, pinging the targets or performing an SNMP port scan. You use the NessusWX UI to select plugins, as Figure 5 shows. This UI is responsive and easy to use. You can enable all plugins for a specific family, or you can enable plugins individually. A special Enable Non-DoS button turns on all the plugins that Nessus doesn't classify as dangerous (i.e., plugins that could harm a target system when Nessus intrusively scans for them), but be careful running the product on production systems, even when using this button.
The scan executes in a separate window that gives real-time progress of the results and shows you the number of found vulnerabilities (classified as Holes, Warnings, Infos, and Ports) and each vulnerability's severity (High, Medium, or Low). After the scan, NessusWX launches a Manage Session Results dialog box, which shows you the results for each host and lets you export them to an .html, .pdf, or text file. You can also export results to a MySQL database or proprietary file. These utilitarian reports also include a description of the found problems. NessusWX doesn't provide custom reporting or prebuilt reports that highlight a specific area. Rather, the results appear in a long list that you must wade through.
See associated table
Register
