Scanning for network vulnerabilities, or security holes, got its start as a tool of the "bad guys." The most basic form of vulnerability scanning is port scanning — testing to see which TCP/UDP ports on a machine are "open" and thus vulnerable to intrusion. More sophisticated tools can also detect what operating systems and application versions are being run, what firewalls and packet filters are being used, and other information that is useful to a hacker in planning an intrusion or attack —and to a network administrator in defending against that same hacker.
Today's vulnerability scanning programs are designed with the "good guys" in mind, for the purpose of determining where your network's vulnerabilities are before someone else does, and even including features that help you to fix them. Most commercial scanners now have the ability to detect which computers on your networks are missing service packs and security hotfixes. Thus, a good vulnerability scanner is an important part of your patch management strategy.
In this article, we'll examine how vulnerability scanning works, take a look at some popular scanning tools (both freeware and commercial) and discuss how vulnerability scanning can make the onerous task of keeping up with patches and fixes a little easier.
A brief history of vulnerability scanning
One of the first vulnerability scanning tools to gain wide recognition was the Security Administrator Tool for Analyzing Networks (SATAN). Although its name proclaimed its user audience to be security administrators, its acronym implied that it could also be used for less noble purposes. Interestingly, its next incarnation was known as the Security Administrator's Integrated Network Tool (SAINT)—perhaps in an effort to dispel doubts about its intended use.
Other SATAN-based tools quickly appeared, such as the Security Administrator's Research Assistant (SARA), which provided a Web-based interface. These early scanners were built primarily for UNIX/Linux operating systems and were distributed as freeware. However, SAINT has grown into a commercial product licensed on a subscription basis that is also marketed in appliance form (the SAINTbox).
Today there are literally hundreds of vulnerability scanning products on the market. There are also free and commercial scanning services. Services can scan your network from the outside, in the same way a real intruder would do. Instead of installing software, you go to a Web site that performs a scan on your machine. Many of the free services are specialized— for example, they search only for security vulnerabilities in your Web browser. In the next two sections, we'll discuss what vulnerability scanners do and then look at different types of vulnerability scanners.
Discovering your network's vulnerabilities before a hacker does (and doing something about them) seems like a common sense approach. However, Sunbelt Software did a poll last year that indicated that only a little more than half (55%) of companies responding use vulnerability scanners. Budget and time factors may prevent some companies from implementing vulnerability scanning, but there are free scanning tools available. In many instances, management and/or IT personnel don't fully understand the role that vulnerability scanning can play in a comprehensive network security strategy.
What does a vulnerability scanner do?
It may seem obvious: a vulnerability scanner scans for vulnerabilities. But what types of vulnerabilities, and what does it do once it finds them? Those are the questions that set different vulnerability scanners apart.
All scanners share one weakness: they can only scan for known vulnerabilities. And that means vulnerabilities that are known to their vendors. Like anti-virus and anti-spyware programs, vulnerability scanners depend on databases that contain the descriptions of the vulnerabilities they can detect. No matter how well the product's scanning engine works, its ability to detect security holes is only as good as the database it uses. Also as with AV and anti-spyware products, it's essential that the database be updated on a continuing basis to include newly discovered vulnerabilities.
Types of scans
Types of vulnerabilities for which VS software scans can include:
- Open ("listening") ports
- Unnecessary services
- DDoS agents and similar malware
- Means of remote access (terminal services, PCAnywhere)
- Password crackers
- System configuration errors/unsafe configurations
- Coding flaws/unsafe code
- Missing service packs and security fixes
Vulnerability scanning usually starts with a "discovery" phase, in which active devices on the network are identified and information about them (operating system, IP address, applications installed, etc.) is collected. Good scanners include a reporting function that allows you to prioritize information and customize reports to fit your needs.
Be aware that scanning the network uses network bandwidth and system resources and thus can slow performance when used during productivity periods.
What a vulnerability scanner doesn't do
Vulnerability scanners are sometimes confused with related but different tools. For example:
- Vulnerability scanners don't do the job of an Intrusion Detection System (IDS). The IDS is a reactive tool; it detects attacks and intrusions when they occur. The vulnerability scanner is a proactive tool; it detects the potential for attacks and intrusions. It's like the difference between a burglar alarm that goes off when someone breaks into your house and a security assessment that shows you which doors have weak locks, which windows can be easily opened, etc.
- Vulnerability scanners don't do the job of a firewall. The vulnerability scanner finds the weak spots in your network; it doesn't prevent existing vulnerabilities from being exploited.
- Vulnerability scanners don't do the job of anti-virus and anti-spyware products. Although scanners may detect some types of malicious software such as DDoS agents, they can't substitute for dedicated AV/anti-spyware solutions. Malware often enters the network through ports that need to be open and protocols that need to be allowed.
A vulnerability scanner is just one of several tools that work in combination to protect your network.
Categorizing vulnerability scanners
There are several different ways to categorize vulnerability scanning products. Popular divisions include hardware vs. software scanners, host-based vs. networked based scanners, and passive vs. active scanners.
Hardware vs. software scanners
Products such as Sunbelt's Network Security Inspector (SNSI) and GFI's LANGuard are software products that run on Windows. Other vulnerability scanners, such as the SAINTbox, are dedicated appliances. There are advantages and disadvantages to both approaches.
Software scanners give you more flexibility. You can choose the hardware on which the scanner is installed, and that hardware may be able to do "double duty." Since the software scanner runs on a regular network operating system, the system can perform other server functions along with scanning. You can easily upgrade the hardware if you need to, to meet increasing capacity needs.
Proponents of appliances argue that they are more secure because they often run on a proprietary operating system or a non-Windows OS such as UNIX. Appliances are also easier to set up; they are "turn key" solutions that you can generally just plug into the network and start using. No software installation or configuration is required. Because the box does only one thing, an appliance may also be faster.
Host vs. network scanners
A host-based scanning product scans the computer on which it is installed. Network wide "host based" scanners require you to install "agent" software on each computer that will scanned. This isn't necessary with network-based scanners, but the network-based scanner uses more resources on the computer on which the scanning software is installed. In addition, the host-based system that uses agents may be able to scan for more types of vulnerabilities than a network-based scanner. The agent usually has privileges that allow it to check such things as password integrity, file permissions, etc.
Network-based scanners often include tools that will "map" or "footprint" the network, providing you with information to construct a diagram showing all the systems on the network, the operating systems and applications they're running, and the vulnerabilities of each.
Both host- and network-based scanners can let you scan multiple systems from a centralized location, and you can usually select which devices to scan.
Passive vs. active scanners
Passive scanning products are designed not to interfere with normal network activity. They can run continuously in the background, monitoring the systems and checking for vulnerabilities without degrading network performance or crashing the systems.
Active scanners try to penetrate the systems in much the same way that a real hacker would. They can sometimes cause interruption of network services or bring servers down, so they should be run during times when network usage is low (such as at night or on the weekend). They perform a much more aggressive and more thorough scan.
It is sometimes desirable to run a passive scanner in an "always on" mode and also run a more thorough active scan at regular intervals.
Popular vulnerability scanners
There are hundreds of vulnerability scanners on the market, and some that can be downloaded free. In general, the commercial products are more sophisticated, with stronger scanning engines and databases that are updated frequently.
Some popular commercial vulnerability scanners include:
- Sunbelt Network Security Inspector (SNSI): a host-based enterprise level software scanner that uses agents to provide thorough scanning. It installs on Windows 2000, XP or Server 2003 in just a few clicks and will scan systems with a wide variety of platforms, including all Windows operating systems since Windows NT 3.51 and Windows 95, as well as many versions of Linux, Mac OS X, Sun Solaris, HP-UX and Cisco IOS. Licensing is per-administrator (seat). For more information, see
- GFI LANguard Network Security Scanner (NSS): a network-based enterprise level scanner that Integrates vulnerability scanning with Windows patch management and deployment (using patch agent software installed on the target machines). Runs on Windows XP/2000/2003. Licensed per IP address.
- eEye Retina: Functions as a vulnerability scanner and spyware detection tool; known for being "unobtrusive" and fast (can scan an entire class C network in about 20 minutes). Can be installed on NT 4.0 with SP6a in addition to Windows XP/2000/2003. Per IP or unlimited Enterprise licensing.
- SAINT and SAINTbox: Available as software product that runs on multiple platforms (Windows and UNIX/Linux) or as an appliance that runs on a hardened Linux OS and scans all TCP/IP systems on class B and C networks.
- Foundstone Enterprise Vulnerability Management appliance: High end (and high priced) very robust enterprise level appliance that includes a SQL database for storing information. Managed through Web portal. The software can also be purchased separately.
Vulnerability scanning services
Vulnerability scanning services use scanning engines and databases that reside on the vendor's server. They are usually provided on a subscription basis. An advantage is that the service performs the scan from outside your LAN, across the Internet, in the same manner as a hacker would attempt to penetrate your network. Another advantage is that you don't have to buy hardware or software. A disadvantage is that an outside company has your vulnerability information. The ongoing cost may also be a disadvantage (for example, the Foundstone service starts at $9,500 per year). Some scanning services include:
- Qualys: QualysGuard offers perimeter-only or internal and perimeter scanning on an annual subscription basis, based on number of IP addresses. It's an on-demand service available through almost any Web browser.
- Foundstone Vulnerability Assessment Service: Yearly subscription-based on-demand vulnerability assessment performed from Foundstone Operations Center. Customers log on through Web portal.
Although far less sophisticated and robust than the commercial products and services, a number of free scanning tools are available. These include:
- Nessus: Open source vulnerability scanning tool that runs on Linux/UNIX.
- Nmap: Free "network mapper," available in Linux/UNIX, Mac OS X and Windows versions.
- MSBA: Microsoft Baseline Security Analyzer. While not exactly a vulnerability scanner, it identifies security misconfigurations and missing security updates on Windows systems and can be downloaded for free.
Integrating vulnerability scanning and patch management
Vulnerability scanning is only one component of your security strategy, and a good vulnerability scanner is an important part of your patch management program because it lets you know which systems are missing critical security updates. This information can then be used for deploying service packs and security fixes, either manually, using a separate patch management program, or in some cases, using the patch deployment features included in the vulnerability scanner itself.
Better safe than sorry
Many companies are not yet using vulnerability scanning technologies to identify the weak spots in their networks, but those that do have an advantage in keeping a step ahead of the hackers. Remember, just because you aren't scanning your network for vulnerabilities, that doesn't mean someone else isn't. Regular vulnerability scanning and assessment with a good scanning engine that uses an up-to-date database is an essential part of an effective security strategy.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.