SUMMARY: Vulnerability Scanners

E. Larry Lidz ellidz at
Wed Jan 28 22:43:46 GMT 2004

Sorry it has taken me so long to summarize the results of this survey.
There was quite a bit of interest in the results. Hopefully this is
helpful to others as well as to us.

Product            Network Size 

ISS                3 Class Bs
Nessus             3 Class Cs
Nessus (+ home)    1 Class B
Nessus plus        1 Public Class B/2 Private Class Bs
Nessus             1 Class B
Foundscan          25,000 systems
Visionael          Unknown
Nessus             19,000 devices
Nessus             1 Class B + a few Cs
Nessus/ISS/Retina  4 Class Bs (47,000 IPs)
Nessus             15,000 IPs
ISS                3,000 IPs, soon 8,000
ISS/Nessus         1 Class B (18,000 IPs)
SARA               200 systems
Retina             Class B

                                General Comments

I ignored people using nmap and specific exploits or specialized
scanners for specific vulnerabilities. However, this seems to be an
almost universal practice -- to some extent, it seems like people don't
totally trust the large scale tools to catch specific vulnerabilities
that are common as much as they trust single purpose tools.

                                 Specific Tools

ISS and Foundscan have the ability to cut license keys that allow
departments to scan a subset of the university network. At least a
couple schools are doing this to allow local support people to scan
their own machines. ISS's technical support was not highly rated by
at least one institution.

People generally thought that Nessus has easy to write rules and had
rules updated in a timely manner. One institution didn't trust it to run
unattended. It appeared to be quite accurate but would occasionally DoS
some devices (embedded devices such as printers seemed to be the big
culprits).  People weren't, by enlarge, overwhelmed by the quality of
its reports.

Visionael was a GUI for Nessus; it is reported to be fairly early in
development, but gaining quality quickly.

Retina appeared to be solid technically, but there was some concern
that their technical support wasn't the best.

                               General Practices

People had gone to some lengths to automate scanning and store results
into database.  By enlarge people seemed to use scanners to intensively
scan one machine or to check a lot of machines for a few specific
problems (most often the SANS Top Twenty).  Scanning large networks for
all known vulnerabilities was fairly rare.

A few places appear to have some "policy" type checks that they have
programmed -- such as whether hosts are running services that only
support Kerberos as required by their security policy.

One school has looked into using passive network auditing tools as they
are concerned about the effectiveness of network scanners as host based
firewalls come into play. It seems early to pass judgment on these
sorts of tools as they are in their infancy (we've found similar things
with them here, too).


E. Larry Lidz                                        Phone: +1 773 702-2208
Sr. Network Security Officer                         Fax:   +1 773 834-8444
Network Security Center, The University of Chicago

More information about the unisog mailing list