Scanning software for detecting network vulnerabilities in remote systems

Retina 3.0, from eEye Digital Security, provides updated network vulnerability scanning. eEye, a security software company, takes an active interest not only in providing network vulnerability scanners such as Retina, but also in researching new vulnerabilities on an ongoing basis—something that only a handful of companies are doing.

Features and Benefits
Retina runs on both Windows 2000 and Windows NT 4.0 servers. eEye has designed the software to scan across LANs and WANs to centralize the auditing process, a real help for administrators who must check systems that aren't always accessible. Retina scans 550 vulnerabilities, including user account security, Denial of Service (DoS) vulnerabilities, mail server security holes, and even firewall issues.

Retina primarily performs security scans and listings of details for that server, letting you see exactly what you're revealing to outsiders, and possibly finding vulnerabilities that you might never have considered. A reporting engine that lets you view, print, or save the server's scans or other activities complements Retina’s scanning function. Retina also includes a new Common Hacking Attack Methods (CHAM) feature. During the audit process, to help you identify problems that might not be readily known or visible, CHAM lets Retina perform simulated attacks that mimic actions that hackers are most likely to perform. As an added feature, Retina includes a function called Fix-It—an auto-update utility, alert function, and scan scheduler that lets you set up scans for any time of the day or night.

Installation and Use
For hardware and software requirements, Retina requires a Win2K server or NT 4.0 server with Service Pack 3 (SP3), 32MB of RAM, and for remote scanning, Microsoft Internet Explorer 4.01 or later. For testing Retina, I used both a 233MHz Pentium system with 96MB of RAM and a 450MHz AMD K62 system with 128MB of RAM running Windows NT4 with SP6a and Windows 2000 Server with SP1 respectively. I didn't notice any difference between the two systems as far as Retina’s scanning performance, other than the obvious benefits in system performance.

Installation couldn't be easier; I simply hit the Enter key four times. I didn't need to reboot afterwards, which is great for systems that you might not be able to bring down during installation. Retina installs like any typical Windows application, and when you're not using the program, you can close it or minimize the window. Once launched, Retina displays a clean interface—the layout looks like a Web browser or Microsoft FrontPage, as Figure 1 shows. The modules install in the left panel. The first module is Browser, which lets you browse the Web within Retina. The next module is Miner, which focuses on scanning Web servers for vulnerabilities—essentially, it mines the Web site, gleaning all the information it can about possible holes and account vulnerabilities. Scanner, the third module, is Retina's most important function, where most administrators will spend their time. The fourth module, Tracer, is an extra feature, which is simply a graphical trace route program.

Basic scans require little work to get them going. You simply enter the IP address or URL of the server you want to scan, and hit the Go button. After 2 or 3 minutes, Retina generates a report about the server that lists any weaknesses, open ports, user accounts, and any other facts it gathered about your system. The report is fairly well detailed, showing the information sorted into different categories. Select an item, and in the box directly below the right hand window, Retina provides information about the item—whether it's a system vulnerability or user account vulnerability, for example, IP Services echo service, as Figure 1 shows.

If you want to increase or decrease the number of vulnerabilities the program scans for, schedule your scans for a specific time, or customize different audit options for different systems' needs, you simply choose from the easy-to-understand options that the Audits menu provides, as Figure 2 shows. You can also save these options to use again. You can turn on or off every scan option, including Retina's more aggressive functions: CHAM and Brute Force Scanning.

CHAM is an idea relatively new to the vulnerability scanner scene. Retina uses artificial intelligence (AI) to simulate an intruder or security analyst attempting to exploit possible holes that aren't blatantly obvious. I was able to test this feature, which works by using tried-and-true attack patterns to try different exploits on the system to find undiscovered flaws. In its current form, CHAM attempts buffer overflow attacks on the system being scanned. You can enable or disable this feature—not everyone wants to risk the possibility of bringing down an active server by finding a previously unknown security hole. Although I had no problems with the testing scans, it's a good idea to make sure the system isn't in use during the times you schedule scans. You can also enable Force Scanning, which tells Retina to scan systems even if they don't reply to ping attempts. The other option, Brute Force Scanning, enables brute force password checking against systems to expose weak accounts.

When I performed a regular systems scan with the default options off (CHAM, Force Scanning, and Brute Force Scanning), the scans completed in less than 5 minutes for NT 4.0 and in only a couple of minutes for Win2K systems. When I enabled the Force Scanning or Brute Force Scanning options, however, scanning took a nosedive. Achieving the same results as a regular scan takes significantly longer—up to 5 minutes for Win2K. Although you might expect this delay to happen, the extra time you spend doesn't seem to result in reports that are much different. Even using the Brute Force Scanning option on a system with standard accounts and easy passwords didn't provide any added information from the scan. It would appear on the two systems that no passwords were obtained; besides slowing the scan process on the several tests I ran, Retina produced no passwords in the reports.

When Retina does find a problem, however, it's thorough. On one test, I was stunned to see that the scan cracked open the system of a local, medium-sized business, showing all information about the server, including over 30 vulnerabilities. Although this scan took considerably more time than the previous scans (around 15 minutes), the information the scan gleaned would be invaluable to a security analyst or administrator.

Once you find vulnerabilities, you can select one at a time to learn information on the various problems and whether there is a Microsoft hotfix for the vulnerability. If so, Retina provides you with a direct link to the hotfix so you can simply click and get the information or download the hotfix, which is a real timesaver. As you look at each vulnerability, a window occasionally appears that gives you the option of having Retina automatically fix the problem—you simply click a button. Unfortunately, I was unable to ascertain whether there's any way to automate the Fix-It process. So far, the items that Retina can fix automatically appear to be limited to registry entries only. Also, if you are scanning from a central workstation, Retina can't fix these problems over the network. You must go to the system locally to fix the problem. However, you can set up alerts to notify you if Retina finds vulnerabilities during a scheduled scan. In the scheduler option window, you simply click the time(s) of the day or night you want Retina to scan. I did notice when scanning a few different servers that Retina issued several false alerts. This isn’t a big issue because you can simply confirm that the problem is, in fact, corrected (as it was in this case). However, false alarms can waste administrators' time if they don't know whether the problem is real.

After the software completes its scans, you have the option of generating a report—you simply click a button on the menu bar. Reports generate in less than 30 seconds, on average, depending on how much information you choose to include. Retina generates the reports in HTML and formats the documents with a professional look, listing basic information about the system and ranking the number of vulnerabilities by type and severity. The reports are detailed enough to accent any security analyst’s report, yet simple enough for anyone who just wants a quick update on the system’s status, as Figure 3 shows. You can print the reports or save them for later use.

Currently, Retina may be too expensive for the consultant or security analyst, and that's the person I see who can probably benefit the most from this product. The software provides plenty of information quickly, letting analysts focus on specific areas without having to waste time enumerating the network first. eEye’s pricing on an enterprise package is fair, making it a bargain. A range of 10 IP addresses costs only $640—affordable even for a small- to medium-size business. All packages include free updates and customer service for the first year; additional years are available at an extra cost.

The Bottom Line
Retina does a good job scanning networks. While Hewlett Packard's (HP's) WebEnforcer provides a more complete package for local security scanning, with its ability to fix 90 percent of all vulnerabilities automatically and faster, Retina has the advantage of letting a user scan remote systems. As eEye continues to develop this product, Retina should prove to be one of the better products available for scanning network vulnerabilities, and I recommend it—if not for its good enumeration abilities, then for its development path.

Retina 3.0
Contact: eEye Digital Security, 1-949-349-9062
Web: http://www.eeye.com
Price: Prices start at $640 for a range of 10 IP addresses and go up to $35,000 for an enterprise; each package includes the first year's maintenance; after the first year, annual maintenance is available for an added cost.
Decision Summary:
Pros: Easy to use; solid enumeration of Windows 2000 and NT 4.0 servers; direct links included to Microsoft hotfixes; clean interface; professional-looking reports; CHAM-simulated "hacker AI" adds to auditing abilities; consistent updates provide new features and added value.
Cons: Some false alerts; Fix-It functions appear mostly for registry fixes only—can’t fix over the network; expensive price for consultant's and security analyst's package; brute force password attacks slow scans to a crawl and don’t appear to generate any results.