[unisog] Commercial Vulnerability scanners?

Tom Throckmorton throck at hbs.edu
Tue Feb 18 16:17:54 GMT 2003


...speaking of Nessus front-ends, i've come across at least 3 other
companies that offer online vulnerability scanning that (at least appear
to) use Nessus:

http://www.prosumis.com/
http://edgeos.com/services/edgesecure/
http://www.securityspace.com/smysecure/index.html

I can't speak at the effectiveness of Nessus on the scale that you're
looking at (we only have around 3,000 nodes here), but remember in the
early days there were some scaling issues; out of curiosity, is that why
you're looking for another product?

-tt

On Feb 18 10:36, Kathy Bergsma wrote:
> We currently use ISS IS, but we're looking closely at Server VAM from Latis.
> It's a very nice front end to Nessus that will manage automated scans and
> resulting workflow for repairs.  Pricing is agressive; they offered a
> competitive upgrade for the cost of our IS renewal.
> 
>  http://www2.stillsecure.com/products/svam/svam1.html
> 
> =============
> Kathy Bergsma
> UF IT Security Coordinator
> 352-392-2061
> 
> On Tue, 18 Feb 2003, Gary Flynn wrote:
> 
> > Christian Wilson wrote:
> >
> > >Hi,
> > >
> > >We have about 17000 computers on our network, and address vulnerability
> > >management by using a combination of Nessus and other custom written tools.
> > >
> > >I was wondering whether others are using any of the comercial scanners out
> > >there in the University environment, and if so what, and are they any good :)
> > >
> > Christian,
> >
> > We've been using ISS Internet Scanner here for several years. It was
> > selected after all the
> > products available at the time were evaluated. The second choice at the
> > time was SARA.
> >
> > At the time of the evaluation, ISS detected several intentionally
> > introduced vulnerabilities
> > that were important in our environment that Nessus missed. There was
> > also no comparison
> > in reporting and integration capabilities in my opinion. Because the
> > results are held in an
> > Access database and because the scanner is controllable through the
> > command line, with
> > a little bit of SQL and scripting you can do just about anything you
> > want. I don't care much
> > for either the canned reports or using Crystal Reports to generate new
> > reports.
> >
> > My main complaints with the ISS scanner are the black box approach to
> > the vulnerability
> > tests and the need to have Windows Administrator access for many of the
> > tests. Without
> > knowing what the tests are doing, it it difficult to sort out false
> > positives or have confidence
> > in the results. This, of course, is a business decision to protect their
> > R&D in vulnerability
> > tests but it makes the product less useful than more open products. I
> > also believe that the
> > ability to create user tests is limited. On the other hand, many Windows
> > vulnerabilities
> > and policies cannot be determined by a network scan without either
> > logging in or
> > having a remote agent so in environments where providing Administrator
> > access can be
> > accomplished, some significant data can be collected.
> >
> > I liked the SARA scanner because all the test scripts were in Perl and
> > it allowed me to
> > inspect and fine tune them as desired for our environment. At the time,
> > it detected more
> > vulnerabilites that I was interested in than other non-commercial scanners.
> >
> > After watching Nessus develop over the past couple years I suspect the
> > choice would be
> > different today.
> >
> > I'd recommend that you contact a sales person and get a working copy of
> > ISS or
> > any other commercial scanner you are contemplating and perform your own
> > tests
> > in your environment. You can download a working copy of ISS Internet Scanner
> > from their site but it will only scan itself without a license key.
> >
> >

-- 
Tom Throckmorton
Harvard Business School
Network Operations Center
(not actual size shown)



More information about the unisog mailing list