> I am currently using ISS Scanner 6.21, but have been > told by a few people that it isn't worth the > associated costs.
I know it's a semantics issue, but think about what types of "costs" you're referring to. I'd used ISS's Internet Scanner, versions 5.6 - 6.01. With the false positives we received, I decided to design my own scanner for NT systems. The company I worked for endorsed it, and some other engineers developed a similar tool for Linux/*nix systems. In one case in particular, we got 22 hits for "AutoAdminLogon" being set. We then took a look at the data collected from the scanner I wrote...and found that on 21 of them, the AutoAdminLogon Registry key had a value of "0". MS says that the functionality is activated by a value of "1"..."0" is disabled. In that case, had we gone to the customer with our findings w/o verifying them first, the "cost" would have been our reputation. Another "cost" could have been the license fees associated with running two disparate commercial scanners (Nessus wasn't available at the time). We ended up finding ourselves going to the raw data collected by my app so often, that we just stopped using ISS. Tracking false positives, discovering false negatives, and dealing w/ other issues (SNMP scan crashing HP-JetDirect cards, etc) became so much work, that we started using the tools we'd developed or other freeware solutions instead. > What is the best security scanner overall? What do you consider "best"? Cost? Speed? Accuracy? The most comprehensive list of vulnerabilities? > What about from a cost/performance standpoint? Again, while "cost" isn't as subjective, "performance" is... > I have heard that nessus is very good. Yes. > Can anybody confirm that? Any other suggestions/thoughts/comments? Here's something to keep in mind... If you're running the scanner as a consultant, that's one thing. If you're running it as a security admin, that's another issue. Basically, you're relying on some third-party arbitrary definition of what "security" is for your architecture. The company that wrote the scanner has no idea how your architecture was developed, and yet you're relying on them to quantify security for you. Most of the scanners don't adapt their findings if the IP addresses they encounter are private addresses. They don't incorporate firewall/router ACLs, switch VLAN settings, etc, into their database when they make the decisions on what constitutes a high/med/low risk. Also keep in mind that the scanners will find the holes, but they don't identify the _real_ issues. What I mean is, if you scan a network and find an NT machine w/ SP1, some w/ SP3, and some with SP4, 5, and 6a...what's the real issue? Or what if all the NT systems have the same SP, but it's 4? Sure, ISS will find the holes, but what is the real issue regarding security? Lack of education and training on the part of the admins? The manager, maybe? Just some thoughts... Carv __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
