[unisog] Commercial Vulnerability scanners?

Kathy Bergsma kathya at nersp.nerdc.ufl.edu
Tue Feb 18 15:36:15 GMT 2003


We currently use ISS IS, but we're looking closely at Server VAM from Latis.
It's a very nice front end to Nessus that will manage automated scans and
resulting workflow for repairs.  Pricing is agressive; they offered a
competitive upgrade for the cost of our IS renewal.

 http://www2.stillsecure.com/products/svam/svam1.html

=============
Kathy Bergsma
UF IT Security Coordinator
352-392-2061

On Tue, 18 Feb 2003, Gary Flynn wrote:

> Christian Wilson wrote:
>
> >Hi,
> >
> >We have about 17000 computers on our network, and address vulnerability
> >management by using a combination of Nessus and other custom written tools.
> >
> >I was wondering whether others are using any of the comercial scanners out
> >there in the University environment, and if so what, and are they any good :)
> >
> Christian,
>
> We've been using ISS Internet Scanner here for several years. It was
> selected after all the
> products available at the time were evaluated. The second choice at the
> time was SARA.
>
> At the time of the evaluation, ISS detected several intentionally
> introduced vulnerabilities
> that were important in our environment that Nessus missed. There was
> also no comparison
> in reporting and integration capabilities in my opinion. Because the
> results are held in an
> Access database and because the scanner is controllable through the
> command line, with
> a little bit of SQL and scripting you can do just about anything you
> want. I don't care much
> for either the canned reports or using Crystal Reports to generate new
> reports.
>
> My main complaints with the ISS scanner are the black box approach to
> the vulnerability
> tests and the need to have Windows Administrator access for many of the
> tests. Without
> knowing what the tests are doing, it it difficult to sort out false
> positives or have confidence
> in the results. This, of course, is a business decision to protect their
> R&D in vulnerability
> tests but it makes the product less useful than more open products. I
> also believe that the
> ability to create user tests is limited. On the other hand, many Windows
> vulnerabilities
> and policies cannot be determined by a network scan without either
> logging in or
> having a remote agent so in environments where providing Administrator
> access can be
> accomplished, some significant data can be collected.
>
> I liked the SARA scanner because all the test scripts were in Perl and
> it allowed me to
> inspect and fine tune them as desired for our environment. At the time,
> it detected more
> vulnerabilites that I was interested in than other non-commercial scanners.
>
> After watching Nessus develop over the past couple years I suspect the
> choice would be
> different today.
>
> I'd recommend that you contact a sales person and get a working copy of
> ISS or
> any other commercial scanner you are contemplating and perform your own
> tests
> in your environment. You can download a working copy of ISS Internet Scanner
> from their site but it will only scan itself without a license key.
>
>



More information about the unisog mailing list