Should you take the steps to move away from passwords and toward token authentication?
View the free Web seminar and decide

Vulnerability scanners can play a prominent role in managing your network's security. Modern scanners check target systems against a database of known vulnerabilities and report potential security holes. And although they don't actively prevent attacks, many scanners provide additional tools to help you fix found vulnerabilities.

Evaluation Criteria
Scanners are available for any network and any budget. I examined five vulnerability scanners, ranging from small, lightweight products to Microsoft SQL Server­based, feature-rich programs and from free, open-source programs to scanners that cost thousands of dollars. The products in this roundup include Sunbelt Software's Sunbelt Network Security Inspector (SNSI) 1.5, NetIQ Vulnerability Manager 5.0, GFI Software's GFI LANguard Network Security Scanner (N.S.S.) 5.0, eEye Digital Security's Retina Network Security Scanner 5.0, the open-source Nessus Project's Nessus (with client NessusWX 1.4.4), and the BindView RMS vulnerability-management solutions (the RMS Console 7.3, bv-Control for Windows 7.35, and bv-Control for Internet Security 7.25). Internet Security Systems plans on releasing a new version of its popular Internet Scanner, so it didn't submit a product for this review. I tested only standard software-based scanners; see the Web-exclusive sidebar "Subscription and Turnkey Solutions," http://www.windowsitpro.com, InstantDoc ID 43871, for information about other methods.

All the scanners I tested are network-based, meaning that you install and configure them from one console, then point them at target systems on your network. (The NetIQ scanner's agent-based approach was a slight exception to this rule, as I explain later. Some of the BindView products also include agents that can provide additional data.) I considered how easy a product was to install, configure, and use--and how adequate its Help files were--in my ratings. All the scanners support heterogeneous targets, but to help you choose the right scanner for your environment, Table 1 lists the primary platforms and programs that each product supports.

Each scanner maintains a database that categorizes and describes the vulnerabilities that it can detect. The most comprehensive databases also provide built-in remediation steps or links to more verbose external sources such as the BugTraq and Common Vulnerabilities and Exposures (CVE) lists. A solid scanning engine, coupled with a detailed database, can improve your ability to spot vulnerabilities and will produce few (if any) false positives. Most scanners require administrative access to interrogate target systems properly, but many scanners also let you conduct a scan by using null credentials so that you can discover what an anonymous attacker might glean from your network. I took into account which products provided built-in, comprehensive collections of vulnerability data as well as which scanners let you customize scans to meet specific needs.

Scanners generate a ton of data--a single scan can find 30 to 50 vulnerabilities on one computer. Multiply that by the number of computers in your domain and you'll understand why you'll want a scanner that can aggregate or filter data into meaningful reports. All the products in this round-up provide report generation and let you access historical reports from previous scans. Some products store data in .mdb files; others require SQL Server. If you're a SQL or XML pro, you might even be able to create your own report formats after you spend a little time studying a scanner's database schema.

Of course, identifying vulnerabilities is only half (or less) of the battle. Remediation takes time and effort. Most of the products I tested can tell you how to fix the problems they find, but the ones that go above and beyond can actually perform basic remediation steps (e.g., disabling vulnerable user accounts).

SNSI
For a fairly lightweight tool, SNSI is a robust product. Installation was quick, and a wizard walked me through the process of setting up my network scan (and helped streamline the scanning process). The attractive UI belied a somewhat complicated method of scanning the target's registry and file system but was easy to use once I got used to it. Sunbelt Software licenses Harris's Security Threat Avoidance Technology (STAT) to power SNSI's scan engine, so if you're familiar with STAT, the SNSI recommendations will be even easier to understand. The Help system was concise and descriptive.

For my first scan, SNSI's wizard had me define a scan group that contained my target computers. I could choose from a list of domain-enumerated computers or define my target set from an IP address range. This ability to create customized scan groups can be useful when you want to scan computers according to their function (e.g., all your Web servers or database servers).

After I defined a scan group, I needed to choose a vulnerability group that defined the vulnerabilities to look for. I could choose from a set of predefined groups, such as SANS Top 20 Internet Security Vulnerabilities, that scan for a specific set of vulnerabilities. (This particular group uses the security-focused SysAdmin, Audit, Network, Security--SANS--Institute Web site's list of the top 20 major Windows and UNIX vulnerabilities.) You can customize the predefined groups by adding vulnerabilities from a database of more than 2300 vulnerabilities, which SNSI categorizes as High, Medium, Low, or Warning. You can also use SNSI to perform port scans that enumerate the running services associated with each port on the target system--a capability that can help you distinguish appropriate network services from potential malicious software (malware). Unfortunately, the product embeds its port-scan results within its vulnerabilities results, making the port information difficult to spot. SNSI also lists all shares for the target, as well as associated permissions for disks, printers, and admin shares.

After completing a scan, you can sort the results and view details of discovered vulnerabilities and corresponding third-party (e.g., BugTraq, CVE, SANS, Microsoft Knowledge Base) references, as Figure 1 shows. SNSI doesn't include hyperlinks to those references but does offer excellent, verbose instructions for dealing with the problems it finds. The product's Scan History node lets you easily access earlier scans, and you can view or print your results in one of 15 built-in Business Objects' Crystal Reports­based reports (although you can't customize them).

See associated table

NetIQ Vulnerability Manager
NetIQ Vulnerability Manager (formerly VigilEnt Security Manager) consists of a Microsoft Management Console (MMC) snap-in, core services, a SQL Server 2000 database, and platform-specific agents. You need to install an agent on at least one target system in the domain you want to scan; you can then scan other systems in the domain by proxy. Of the scanners I tested, this product posted the quickest scan time and provided a lot of additional functionality (beyond simple scanning for known vulnerabilities), including user- and audit-specific scans and reports. For example, you can have the product return a list of "powerful users" who are members of the Administrators group or who can perform privileged operations such as taking ownership of or shutting down a system. The product's Help system is friendly and easy to use. The right-hand pane of the MMC console lists common questions and provides hyperlinks to the answers.

NetIQ Vulnerability Manager ships with a built-in database of more than 600 potential vulnerabilities, which this product calls security checks. The product arranges certain checks into 17 well-thought-out, predefined scans called policy templates. Performing a vulnerability scan consists of running one of these templates on a group of target computers. You can find basic templates that help get you started auditing for regulations, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Sarbanes-Oxley Act (SOX), or for best practices, according to lists such as the SANS Top 20; you can build your own checks as well. Built-in wizards let you quickly create custom scans designed to work with your systems' Active Directory (AD), registry, and user-account settings. You can schedule reoccurring scans--a plus for organizations that require regular audits.

NetIQ Vulnerability Manager also lets you run predefined tasks that list specific types of users, group memberships, file shares, or system services; you can use another built-in wizard or write a script to create your own tasks. NetIQ Vulnerability Manager uses these tasks when remediating identified vulnerabilities (e.g., when disabling or deleting an account, restricting a share or file permission, stopping an unsafe or unnecessary service).

You can have the product export reports into .html, .pdf, or .xls files and email them or post them to a share or Web site. NetIQ Vulnerability Manager adds a twist to its reporting by letting you assign risk and exposure weighting to servers and vulnerabilities; according to this weighting, the highest-risk systems appear at the top of the product's reports. Such enhanced statistics help you triage discovered vulnerabilities across your enterprise, beyond what's possible using more typical Low-, Medium-, and High-risk rankings. Another reporting highlight is the report viewer's Data View, which Figure 2 shows. This view lets you group, query, and sort results in real time so that you can more easily find specific information. You can export results to Crystal Reports, Adobe Systems' Adobe Acrobat, Microsoft Excel, Microsoft Word, or text formats.

Unfortunately, the report formats are relatively generic, regardless of the policy template you used to perform the scan. The product's remedy explanations are inconsistent in their level of helpfulness; you often must hunt down solutions to found vulnerabilities. On the plus side, though, NetIQ Vulnerability Manager provides an AutoSync product update service that gives you access to TruSecure security bulletins and updated security checks. You can also use NetIQ Vulnerability Manager to check for missing patches on your target systems, although the product can't deploy those patches for you.

See associated table

GFI LANguard N.S.S.
The smallest of the scanners in this roundup, GFI LANguard N.S.S. includes a range of scans to help identify useful security information at a glance. The diversity of available scans is impressive, but the scanner's database is much smaller than the others in this roundup. The version I tested retains earlier versions' quick-to-launch, easy-to-use aspects but sports a new look, which Figure 3 shows. I rated the available Help documentation as fair.

The product, which stores scan results in either a Microsoft SQL Server Desktop Engine (MSDE) or SQL Server 2000 database, doesn't use scan groups. When you start a scan, you specify your target systems according to name, IP address range, or domain or import that information from a text file. The GFI LANguard N.S.S. vulnerability database includes more than 300 (predominantly UNIX) vulnerability checks. You can use the tool's GUI or built-in script editor and debugger to create your own vulnerability checks. GFI LANguard N.S.S. augments its vulnerability scans with share enumerations that include the target computer's permission settings, password policy, security-auditing settings, local users and groups, installed services, and startup type. GFI LANguard N.S.S. also provides TCP and UDP port scanning, highlighting ports used by many Trojan horse programs and helping alert you to possible previously successful attacks. GFI LANguard N.S.S. lists other useful information about the target system such as OS, network devices, registry information, and sessions. The product also provides additional tools that let you deploy Microsoft patches and custom software, perform DNS lookups, execute Traceroute or Whois functions, enumerate computers and users, and perform SNMP auditing (e.g., scan a computer or subnet for SNMP services that have weak community strings). I especially liked the Result Comparison tool, which lets you compare two previous scans. You can use this tool to create a baseline against which to compare subsequent scans. Combined with a reoccurring scan, you could set up a system to detect new computers or services that come online in your network. On the down side, despite its useful tools and options, GFI LANguard N.S.S. detected the fewest vulnerabilities of the products I tested and reported many false positives.

N.S.S. presents its results in a Windows Explorer­like view; you can expand nodes to see more detailed data. Scanned vulnerabilities include risky services, incorrectly configured registry settings, and other published vulnerabilities from sources such as BugTraq. The product categorizes vulnerabilities as High, Medium, or Low security risks and, in some cases, lists a short (and fairly generic) description and a link to a vendor or BugTraq remediation steps. For example, after encountering the SNMP service running on my target computer, the product reported

Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. You should check if your system is Vulnerable.

I'd have been happier if the tool had told me whether the SNMP service it found was actually vulnerable to a specific exploit. The product provides several attractive, predefined HTML reports showing scan-result data. You can create your own reports by using a simple wizard.

See associated table

Retina
Retina harnesses the ease of a small, nimble scanner and teams it with a comprehensive vulnerability database and high-performance scan engine to provide a top-notch scanner that excels at its primary mission to seek out and identify key system vulnerabilities. Retina includes several cross-platform auditing modules.

Retina's well-designed UI, which Figure 4 shows, makes setting up and managing scans a snap. When you begin the process of setting up a scan (called an audit), you can have the product discover computers on your network. This optional task uses Internet Control Message Protocol (ICMP), TCP, or UDP discovery methods to find systems on your network, then provides general information (e.g., name, OS, DNS name, media access control--MAC--address) about those systems. You can then add the computers to address groups, on which you can base the audit.

You begin an Audit by defining a new scan job. Retina lets you target computers according to IP address, name, or address group. Retina port-scans the targets as a part of the overall audit; you can specify a port group (e.g., all ports, common ports, HTTP ports) that you want Retina to use or you can create your own port group. Audit groups list the vulnerabilities that Retina will look for. Like many of the other products I've described, Retina includes an audit group to detect the SANS Top 20 vulnerabilities. Plus, Retina includes a full set of documented APIs so that you can create custom audits.

Retina's maker, eEye Digital Security, is a security lab that discovers and publishes many vulnerabilities, to the scanner's benefit. You can configure Retina to download updates from the vendor each time you run the program. Retina classifies vulnerabilities as High, Medium, Low, or Info and categorizes detected vulnerabilities into groups (e.g., Accounts, DoS, Wireless). During a scan, subtle use of icons and colors draw your attention to especially vulnerable machines or suspect ports.

After a scan has finished, you can switch to the program's Remediate view to see the results in-depth. Retina lets you select and group the results by vulnerability or machine name and lets you sort the results according to IP address, name, or risk. You can view a remediation report, which is formatted so that you can print it and use it as a remediation checklist from within Retina, or you can export it in HTML or Word format. The report includes detailed information, including solutions and links to vendor updates (e.g., Microsoft security updates, BugTraq ID number, CVE number). Retina also includes a variety of predefined reports, such as Scan Summary, Vulnerabilities, and Network Shares. Many of these reports use graphics and provide a clear and concise summary of previous scans. Unfortunately, the reports don't offer drilldown capabilities, so you have to alternate views or reports when you want to access more detailed information. Retina can stand alone as a scanner but can also fit into the vendor's larger Retina Enterprise Suite, which includes REM Security Management Console and Retina Remediation Manager, to provide a complete threat identification, assessment, and remediation package.

See associated table

Nessus
Nessus is a popular open-source scanner for Windows and UNIX. The price is right--free--but as with most open-source software, Nessus isn't for the faint of heart: You'll need UNIX knowledge to install and configure it. That said, the product provides a huge database of vulnerability checks, called plugins, as well as author and community support. However, as an open-source program, Nessus offers no company or paid technical support to help you out of a bind. The community or freelance Nessus consultants are your only avenues for support. Also, be aware that Nessus uses intrusive scanning methods (the Web-exclusive sidebar "Intrusive vs. Nonintrusive Scanning," http://www.windowsitpro.com, InstantDoc ID 43872, explains the difference between intrusive and nonintrusive methods), so be wary when scanning production systems.

Nessus consists of software that you install on a UNIX (or Linux, or FreeBSD) back-end server, and a UNIX or Windows front-end client. For my tests, I used the product's Windows client, NessusWX 1.4.4, which I needed to download separately from the main scanner (http://nessuswx.nessus.org). Because the main scanner program isn't a Windows program and isn't natively Windows-aware, you might find yourself having to tinker with its credentials to leverage its Windows-based scans. However, both the main Nessus site and the NessusWX site contain excellent installation documentation. The Nessus Web site manages more than 2100 plugins that cover most platforms. Nessus categorizes the plugins into families (e.g., Common Gateway Interface--CGI--abuses, firewalls, ftp, port scanners).

The first step in conducting a scan is to create a new session, in which you define the scan targets and options. Specify a host name, IP address, or import a list of targets from a text file. Nessus harnesses the popular free Network Mapper (Nmap) port scanner and provides additional port-scanning options--for example, pinging the targets or performing an SNMP port scan. You use the NessusWX UI to select plugins, as Figure 5 shows. This UI is responsive and easy to use. You can enable all plugins for a specific family, or you can enable plugins individually. A special Enable Non-DoS button turns on all the plugins that Nessus doesn't classify as dangerous (i.e., plugins that could harm a target system when Nessus intrusively scans for them), but be careful running the product on production systems, even when using this button.

The scan executes in a separate window that gives real-time progress of the results and shows you the number of found vulnerabilities (classified as Holes, Warnings, Infos, and Ports) and each vulnerability's severity (High, Medium, or Low). After the scan, NessusWX launches a Manage Session Results dialog box, which shows you the results for each host and lets you export them to an .html, .pdf, or text file. You can also export results to a MySQL database or proprietary file. These utilitarian reports also include a description of the found problems. NessusWX doesn't provide custom reporting or prebuilt reports that highlight a specific area. Rather, the results appear in a long list that you must wade through.

See associated table

BindView RMS
BindView's solution is a more extensive security tool that goes beyond simple scanning. But if scanning is your main goal, you'll need to install several modules for a truly comprehensive solution.

BindView's vulnerability scanners take the form of bv-Control modules that plug in to the BindView RMS suite, which provides a separate RMS Console and Information Server. The bv-Control modules, which you must purchase separately, include queries and reports specific to a variety of platforms and products. For this review, I tested the RMS Console and Information Server 7.30, bv-Control for Windows 7.35, bv-Control for Internet Security 7.25, and the BindView Compliance Center 1.50. You'll also need SQL Server to store the configuration and scan information. BindView RMS provides an MMC snap-in to manage the main components and a Web console to manage the Compliance Center. BindView's RapidFire service provides program updates.

Due to the scope and complexity of the product, the installation process took longer and required more configuration than the other scanners I tested. Because of the need to run scans from multiple modules, a complete, internal/external BindView scan run also took considerably more time to finish than the other scanners needed.

At their core, most bv-Control modules consist of groups of queries. These queries provide a single gathering point for most of the internal security data you'll need about your network. The bv-Control for Windows module includes queries to enumerate shares, events, users, processes, and domains. Other queries perform domain, printer, machine, session, share, and storage analyses. Still others collect data for documentation, disaster recovery, or defined security best practices. The bv-Control for Windows module includes nearly 500 queries in all, and you can use these to achieve nearly all the functionality that the other scanners provide (e.g., managing patches, enumerating shares, listing users who have Administrator privileges, determining whether auditing is disabled). However, you must create a task list or use the Compliance Center to group these queries into regular and repeatable scans consisting of multiple queries.

The bv-Control for Internet Security module differs from the other modules in that it uses intrusive techniques and no credentials to attack your network as an intruder would. BindView recommends using the module to look into your network from the outside; this external view complements the other modules' internal focus. The module uses security checks (e.g., FTP servers, integrity, permissions, SNMP, Trojan horses, Web servers) developed by BindView's security-research team, RAZOR Rapid Response Team, and categorized into collections (e.g., SANS Priority One) that you can use to initiate a scan. This module supports network mapping, scanning and analysis, reporting, exporting, updating, and password-integrity checking.

After running bv-Control for Windows, you can view the resulting data in a variety of flexible formats, including data grids, graphs, and reports. In many cases, you can remediate problems on the spot by using the product's ActiveAdmin feature. You can review the results of a bv-Control for Internet Security scan by using the module's built-in report viewer, which Figure 6 shows. The module produces an HTML report that summarizes found vulnerabilities as High, Medium, or Low and provides a highly technical description and remediation information as well as links to other useful references. You can sort the results according to device, drill down into the results, and view charts of the data. This module also features autofix capabilities for certain vulnerabilities. Both modules let you view historical data. Together, the two modules provide robust information about your network's overall security. Remember, however, that you need to manage the results separately--you can't produce a compiled remediation report.

The BindView Compliance Center is a separate tool that leverages the bv-Control modules to assess your network against best practices. This nonintrusive, agentless Web portal uses a database of compliance information--for Windows users, the Technical Standards for Center for Internet Security's (CIS's) Level-1 Benchmarks for Windows 2000 1.1.7--to compare your network against a library of predefined technical standards. You can create an acceptable configuration (a gold standard), then compare target systems with that standard. However, you must purchase the database, which has a hefty price tag.

See associated table

Which Scanner Is for You?
For a pure vulnerability scanner, my top pick is Retina, with its solid, focused approach. The product's well-designed, efficient UI makes it easy to get down to business and begin scanning for vulnerabilities immediately; its powerful scanning engine and comprehensive database get results. If you're looking for a full security- and policy-management solution, BindView RMS is the most robust solution. If your main goal is regulation compliance, check out NetIQ Vulnerability Manager (just be aware that if an auditor requests a hard copy, you won't be able to customize the product's reports). If you're on a budget, Nessus is free and gives you an amazing amount of scan data, but unless you already understand quite a bit about UNIX or the product, be ready to spend time getting it up and running. If you aren't comfortable with your knowledge level--or with Nessus's intrusive techniques--try the reasonably priced SNSI, which provides detailed remediation steps for most vulnerabilities. If you already have some scanning functionality and are simply looking for additional capabilities, GFI LANguard N.S.S. would make a great addition to your toolkit, although I wouldn't use it as a dedicated vulnerability scanner because of its limited detection abilities. Whichever tool you decide on, remember: Any scanner's value can be realized only if you heed its recommendations and remediate at-risk computers as soon as possible.