During the past few weeks, I've been concentrating my reviews on security scanning tools. This week, I'll continue with a look at Internet Security Systems' (ISS') Internet Scanner 6.1, which ISS markets as part of its SAFEsuite of products. Internet Scanner runs on and scans Windows NT and UNIX systems, but as with allmy reviews, I'll focus on using this product in an NT environment.

Features and Benefits
Internet Scanner is an automated tool that consists of four modules: the scan engine, the user interface, the reporting module, and the security knowledge database. The scan engine executes the network tests that probe all TCP/IP devices for any potential security risks. The user interface lets you either interactively run and observe the progress of the scans or use the software's scheduling tool to run scans at a predetermined time. You can also use command-line options to control the scanner. The reporting module lets you generate hard-copy and electronic reports. The software lets you create different levels of reporting, from technical reports for systems administrators to high-level summaries for executives. With Internet Scanner's security knowledge database, the software can execute more than 600 unique tests based on information provided by the X-Force, a security R&D organization.

Internet Scanner is a feature-rich product that offers many benefits. For example, the fast, easy-to-use interface lets users easily and quickly identify each host and their associated risks. Internet Scanner uses ISS's patented SmartScan technology to test systems the way an attacker would. SmartScan finds weak links in your configuration and attempts to use these discoveries to further compromise the system and identify risks that might not be obvious. In addition to the database of 600 unique tests that ships with Internet Scanner, the software automatically adds new tests and software updates using the included ISS X-Press Update utility.

One of Internet Scanner's best assets is its powerful reporting features. The reporting is, by far, better than most competing products. Reports include descriptions of each vulnerability and suggestions for fixing them. (Unlike some other scanning products on the market, Internet Scanner does not let you automatically fix problems or adjust Registry entries.) Internet Scanner collects data from each scan and stores the information in a database that lets you retrieve the data and use it in a variety of different ODBC-compliant programs. If you can't find a built-in report that suites your needs, you can create custom reports and use third-party programs to easily manipulate scanner data. Internet Scanner also interfaces with other SAFEsuite products, such as ISS's Database Scanner.

Installation and Use
At a minimum, ISS recommends that you install Internet Scanner on a system with a 200MHz Pentium processor, 128MB of RAM, 140MB of hard disk space, and NT Workstation 4.0 with Service Pack 5 (SP5). For large network scans, ISS recommends that you use at least a 300MHz Pentium II, 256MB of RAM, and 240MB of hard disk space. ISS strongly recommends that organizations dedicate an NT workstation for the scanner. As with all my reviews, I installed and tested ISS on a 500MHz Pentium III system with 512MB of RAM.

After the software installs all the necessary files, you must manually install the custom ISS raw packet driver that comes with the product. This driver installs as a network component of NT, so you must reboot after installation. When you start Internet Scanner, a pop-up window appears that lets you easily create a new scan, as Screen 1 shows.

When you select Create a New Session and click OK, you see several Scan Policy options. Each ISS Scan Policy is classified by a level rating, levels 1 through 5. Level 1 (L1) is nothing but a simple network inventory, and level 5 (L5) is a complete vulnerability scan on each selected host. Along with different intensity levels for each Scan Policy, ISS also offers policies specific to hosts running Web services.

I began my tests by running an L1 Inventory scan. ISS recommends that you perform this scan first to inventory the entire network. Internet Scanner then uses the information from this scan during future scans. The L1 Inventory scan took no time at all, and it gave me a complete inventory of my network and its hosts. I then ran the L5 scan, which took about 15 minutes to complete. After the scan finished, Internet Scanner presented me with a summary of all vulnerabilities the software detected. Internet Scanner generated a report listing each vulnerability sorted by severity, as Screen 2 shows. The scanner's overall performance was not as impressive as a few of its competitors, but this might be the result of the massive amount of unique tests that Internet Scanner performs.

Behind the Times
I have always been an ISS fan, but in the rapidly changing world of security, ISS has not changed very much over the years. Internet Scanner is an excellent product, but a lot of ISS' competitors are gaining ground and offering competitive products. Newer products such as BindView’s HackerShield match, if not surpass, Internet Scanner's features. Up and coming products such as eEye’s Retina are also rapidly improving and will soon threaten ISS’ market share. With a rather hefty price tag, ISS Internet Scanner, which was probably the first tool in my toolkit long before I started writing these reviews, has lost its spot to BindView’s HackerShield, a more cost effective, and in my opinion overall better, product.

Security for the Masses
After reviewing several security scanners during the past few weeks, I want to share one final thought. A concern I have with many security scanners is that a lot of vendors promote their products as tools for non-security experts. However, to truly understand the information that these scanners present, you need to understand the issues behind each vulnerability and the effect of making changes to your system. Companies and systems administrators who don't understand security and rely on a product to advise them of their security vulnerabilities are asking for trouble and probably missing out on a lot of potential problems. Companies concerned about their security must rely on knowledgeable security professionals, and you can't simply replace these individuals with a software product. Security scanners make life easier when assessing systems for vulnerabilities, but they are only effective when used by qualified security professionals.

You should also watch out for claims about the number of vulnerabilities that a company says its product scans for. Although the vendors claim that their products scan for a variety of vulnerabilities, it's not clear whether the vendors are using a specific standard when they classify each vulnerability. When you purchase a scanner product, remember that it's important to understand what the vendor considers a vulnerability and what it does not.

In Brief
Contact: Internet Security Systems * (678)443-6000
Web: http://www.iss.net
Price: $2795.00 for a 30-device license; $4995.00 for a 254-device license
Pros: Mature and stable. Large vulnerability database with 600 unique tests. Advanced reporting capabilities. Well established security R&D team that actively seeks out new vulnerabilities.
Cons: Detects certain vulnerabilities that other scanner products don't constitute as vulnerabilities. Slightly slower performance than other scanner products I've reviewed. Expensive compared with its competitors.