I've downloaded the trial-edition of the Security Analyzer and the Log
Analyzer and they look quit OK.
Especially the SA. It connects to the webtrends site to download the latest
vulnerabilities for the most used platforms: M$, Red Hat, Solaris, ....
I only tested my own Win98 machine, but it gave around 33 high
vulnerabilities for Office, IE, W98, Virtual machine, ... and for every
vulnerability a solution (do this, download this patch, ....).
One thing that maybe considered a downside is that it runs on Windows. But
easy to install and use.
Nessus on the otherside only runs on non-Win platforms.
But I've read some interesting things on the list about such scanners. So
thanks Paul and Carric for your input.
Kind regards
Erwin
-----Original Message-----
From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 5 januari 2001 14:49
To: Carric Dooley
Cc: Erwin Geirnaert; Firewalls (E-mail)
Subject: Re: Webtrends Security Analyzer
On Wed, 3 Jan 2001, Carric Dooley wrote:
> I played with it a year ago or so, and the only thing that I found that
> was worse was Cisco's scanner (Net Sonar at the time). I would look at:
> ISS Internet Scanner, CyberCop Scanner, and Nessus (free!!). They all
> have their limitations, but are decent tools.
To be fair, a year is a hell of a long time with a changing product, and
Webtrends has put a lot of effort into their tool in the last 8 or so
months. Also to be fair, all of the mentioned tools fail to find some
things consistantly, or provide a veritable plethora of false positives.
The interesting thing about Webtrends is that it's tests are Perl based
and can be extended pretty easily with new modules to take advantage of
the report stuff. That's extended by the vendor, *or* by the customer.
I'm fairly certain that we didn't get anything proprietary out of them
when we looked at it to see how it extended.
I did think that it was slow on some of its scanning stuff though- but
part of that may have been the scanner taking hostile fire from a somewhat
bored attacker on the same subnet testing some "interesting" attack stuff
;)
We're[0] spending effort normalizing the results between commercial tools
and some free and proprietary ones we use, but it's an ongoing effort, and
doing normalization sucks if you're still back in the "list 800 good old
vulnerabilities and generate a consulting services offer with the results"
mode.
None of the tools "keep up" well, especially on the commercial side, and
some of them report a single problem a dozen ways. Which scanner or
scanners you use really depends a lot on what you expect to do with the
scan results and why you're scanning in the first place, as well as scale
points and criticality of results.
If you're using scanners for local self-testing, it's a good idea to be
one hop away from your target and let a router handle the ARP timeout
issues if you're scanning blindly, especially over a sparsely populated
address range.
Also, for some key vulnerabilities, some tools test only a specific way
which may miss vulnerable systems, so if there are specific
vulnerabilities which are important to you (such as the top N
vulnerabilities for a product or platform), you'll want to look carefully
at what's tested and how (sniffers and logging on a captive target help.)
Paul
[0] TruSecure Corporation, who employs me but doesn't necessarily endorse
my view of things, opinions or conclusions. We may have agreements with
some or all (my recollection is at least half) of the vendors mentioned,
but I'm not sure if we've persued a relationship with Webtrends. NAI who
makes CyberCop is definitely a customer of ours in the ICSA Labs
certification environment for (at least) Anti-Virus and Firewall
products. We don't do public testing or certification of scanners through
the Labs though and the bulk of our scanner usage is on the TruSecure side
of the business. I hate when disclaimers are longer than messages so I'll
shut up now.
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
