Smart security: network scanners

Summary:Before a hacker reveals the gaps in your network security, do it yourself. Using a network vulnerability scanner is like hiring a hacker, only the intelligence is artificial.

Don't wait for a hacker to show you where your network's vulnerabilities lie. Be smart, and use a network scanner with intelligence--artificial intelligence (AI), to be precise.

That's what the latest generation of network vulnerability scanners do--they probe your network in order to learn its weaknesses. Some scanner makers, though, shy away from calling the process AI, at least partly for marketing reasons. As explained by Dave Cole, director of products at scanner vendor Foundstone in Mission Viejo, CA: "Maybe it's AI at some basic level, but that is not what the customers are focusing on--they are having enough trouble with standard vulnerabilities."

But whatever the process is called, network vulnerability scanners combine databases of known security problems with complex logic to find security weaknesses before a human hacker does. The software generates a list of problems that it finds, and often includes notes on how to correct them, explained Mike Rasmussen, an analyst at Giga Information Group. Network scanners do not, however, look for vulnerabilities in the configuration of a given host, or in application code--host scanners and code scanners do that.

Scanners also don't guarantee security, since minor holes may still be exploited by an expert, while major holes may only lead to an impenetrable firewall. "It's not a question of whether you are safe, but of how protected you are," said Oliver Day, sales engineer at eEye Digital Security in Aliso Viejo, CA, which has a scanning product called Retina. "You will never know that until you gauge it, and you can't do it just once and leave it at that."

Meanwhile, scanning just the perimeter (the ports facing the outside world) is not enough--you also have to look at the interior of the network, since attacks originate there, too. Day recalled a client who discovered that someone had installed a wireless access point in an empty cubical with an open network port. This allowed the person to sit in the parking lot and divert network traffic, Day explained.

"Gentleness" is a quality more often emphasized by scanner vendors, meaning their software shouldn't crash running systems. First-generation software would query ports with non-compliant requests to see what operating system responded, but that method could crash networked printers and industrial equipment that possessed limited error responses, Cole explained.

Rasmussen said the leading network vulnerability scanning software packages are Internet Scanner from Internet Security Systems (ISS); newcomer Cyc Corp.'s CycSecure; eEye's Retina; Foundstone's FoundScan; NetRecon 3.5 from Symantec; and a French freeware product called Nessus.

Christopher Klaus, founder and CTO of ISS (which Rasmussen identifies as the market leader) likened the task of the scanner to "twisting the door knobs to find out what vulnerabilities exist." He preferred to use the term "expert rules" instead of AI. He said his software will scan ports on a network and use information it has picked up at one port, such as insecure passwords, to attempt penetrations elsewhere. (He says ISS can penetrate most corporate networks because in-house programmers often use Web ports for other applications, such as instant messaging.)

At Symantec, NetRecon product manager Harold Toomey also preferred the term "expert system." He boasted that his product also uses progressive scanning, but added that it emphasizes safety--it won't crash a trading floor, he said.

At eEye, Retina uses an AI feature called Common Hacking and Attack Methods (CHAM), explained Day. CHAM includes intelligent algorithms that look for buffer overflow and Web server protocol weaknesses. Plus, it can be set to perform network-wide or selective sweeps, at pre-set times and intervals, Day said.

At Foundstone, Cole indicated that the details of how the scanning is done are secondary. "The challenge is to communicate the risk in business terms," he said. To that end, he said FoundScan emphasizes accurate but "gentle" scans, combined with guidance on fixing whatever problems it uncovers.

At Cyc Corp., they freely admit to using AI. The company, it turns out, is the last traditional AI firm, having spent the last 18 years developing a database with second-order predicate calculus intended to endow software with common sense.

Cyndy Matuszek, CycSecure's project manager, said the product (still in beta) not only generates a list of vulnerabilities, it uses AI to generate an "impact statement" so that the users can judge which vulnerabilities are worth their attention. "Of five hundred problems on a network, only 20 may play into problems that you care about," she noted. It also uses AI to find vulnerabilities that would be more obvious to a human than to a machine, like pet names used as passwords, and knowing that it is suspicious if anyone but the system administrator installs a packet sniffer.

All the products scan TCP/IP networks. Pricing for Foundstone's FoundScan starts at $35,000 for up to 256 IP addresses; maintenance costs extra. The software runs on a Widows host.

Retina from eEye also runs on Windows, and costs $6,520 for one scanner, and up to 256 IP addresses. Each scanner license, or "activation key," handles up to 512 IP addresses. The annual price of maintenance is around 30 percent of initial purchase price.

The single-machine version of ISS's Internet Scanner, which also runs on Windows, is a free download; but a license for 250 devices will cost you $6,095; a perpetual license for 250 devices costs $11,400. Both prices include maintenance.

Pricing for NetRecon 3.5 starts at $3,995 for up to 256 IP addresses, or $19,995 for an unlimited number. It runs on a Windows host. The annual cost of maintenance is 18 percent or 25 percent of the original price, depending on how much support you want.

CycSecure runs on a secure (Linux-based) server. The cost is reportedly "several thousand dollars" for the server, and then $10 to $100 per IP address, depending on the scale.

The Nessus Security Scanner is a free download that runs on Unix-like systems, such as Solaris, FreeBSD, and Linux.

So, while they may call the process various names, what's important is that these systems will probe your network like a hacker would, poking and prodding it with patience and expertise you hope no hacker will ever possess. Putting an AI scanner in your corner should keep your network from being knocked out by the human variety.

Does your company use a network vulnerability scanner? TalkBack below or e-mail us with your thoughts.

Topics: Networking, Hardware, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.