A number of companies now offer Web-based auditing tools that will scan your network and report vulnerabilities free of charge. These tools are mixed in terms of their reliability, and the companies acknowledge that to get a true sense of how secure—or insecure—your Internet connectivity is, a full audit is still necessary.

But these freebie tools offer a quick snapshot of possible vulnerabilities and present some useful information you can act on to better secure your network. You have to view the information the audits display with some level of skepticism, however, because not all Web-based tools appear to be equally thorough. Even the ones that seem to do a more comprehensive job present the data with a sales pitch to entice you to invest in fee-based audit services. But despite the obvious marketing tactics, you can come away with some helpful feedback on your network if you use these tools.

Available options
I test-drove three Web-based security-audit tools: Shields UP, SecurityMetrics, and DataScope. Shields UP is an easy-to-use program from Steve Gibson’s Gibson Research Corporation and is aimed at Windows users. Gibson offers other security tools as well, including LeakTest, which tests firewall security.

DataScope is an IT consultant firm located in St. Louis. It offers a wide range of services in addition to a free Web-based security audit. SecurityMetrics, Inc., has a number of Web-based tools for auditing security and also offers a security monitoring appliance you can order from its Web site.

Differences in the approaches the three take to auditing Internet security were minor, but they returned some widely varying results and presented those results in various ways. In the end, the report from one tool left me skeptical, when compared to the results of the other two. The matter-of-fact presentation of one tool’s findings made it appear the most reliable and thorough product.

Shields UP
Gibson’s Shields UP is the most streamlined and easy to use of the three tools. It’s also the only one that requires a download. Actually, the download isn’t really required, but a message on the site states that if you don’t use the utility, Shields UP may incorrectly identify your system’s IP address.

In fact, when I ran the test from my machine, which is on a private network hidden behind a firewall, Shields UP was unable to correctly determine the IP. So I downloaded and installed the IP Agent utility (Figure A), which is only 20 KB in size, and ran it to perform the test.

Figure A
Shields UP IP Agent

You can begin the test by running the IP Agent utility or by clicking one of two buttons to either test your firewall or probe your ports. Shields UP then displays a series of browser windows updating you on its progress.

The good thing about Shields UP is that it quickly performs its test and displays the results in your browser window. You don’t have to wait long to find out what the program has determined about your Internet security.

You’ll see a table like the one in Figure B showing what Shields UP tested and how well your Internet security fared. As you can see from the results, Shields UP found my system to be very secure.

Figure B
Shields UP test results

Gibson’s tool recognized that my computer was on a private network, and the message it presented claimed that such networks are inherently safe because it would be difficult for potential hackers to actually find it. As you can see from the test results, Shields UP found that the ports it scanned were closed and that the computer was essentially hidden from outsiders. Figure C shows Gibson’s explanation of private networks.

Figure C
Private IPs are unreachable.

Most would agree with the idea that computers on private networks are more secure than others. Shields UP did display a disclaimer, however, stating that passing with flying colors doesn’t necessarily mean that you’re completely safe and can rest easy. Gibson acknowledged that he’s still working on Shields UP to ensure that it performs thorough tests and delivers accurate results, and he advised users to consider the newer version of the product in beta.

Similar tests using other utilities seem to indicate that Gibson is right to caution users not to feel too secure. SecurityMetrics, for example, had a different story to tell about my Internet security.

Unlike Shields UP, SecurityMetrics doesn’t display results immediately in a browser window. Instead, it requires that you enter details about your network, including your company URL, e-mail server address, and firewall address. You can leave some items blank if you choose not to test them. Figure D shows the initial screen that requests the server information.

Figure D
SecurityMetrics requires network details.

Once you’ve entered the necessary data and agreed to the terms of use document—which states that you are not to use this tool on networks you don’t have permission to test and that you should consult your network administrator before setting up the audit—SecurityMetrics displays a message that it will send you an e-mail with a link to the results. The message also says that the test can take several hours. Unlike Shields UP, you don’t see any progress indicators on screen while the audit is being conducted.

Sometime later, you receive an e-mail stating that the test is complete, and a hyperlink opens a browser window to the results page. I had to wait a few hours after the test to receive my notification.

SecurityMetrics grades your security on a pass/fail basis. Risk factor scores below 4 are passing. Scores of 4 and above are failing. SecurityMetrics gave me a failing score with a total risk factor of 30. By its reckoning, that looks pretty bad. According to those results, though, it’s not the security of my computer itself that failed, but the security of the overall network’s vulnerability to attacks launched from the Internet. Figure E shows the vulnerabilities that SecurityMetrics uncovered. Note that some results were unavailable in the free test.

Figure E
Reported vulnerabilities

SecurityMetrics seems to have performed a much more thorough scan of my network than Shields UP, and it offers a consultation service to help fix the vulnerabilities it discovers. It also presented very detailed information about each audited item and the results. The information could be valuable in making decisions about how to improve security.

This approach is similar to that of DataScope, which also performed a thorough scan and sent detailed results via e-mail.

Of the three Web-based tools, DataScope seemed to take the most staid and matter-of-fact approach, and in my mind, that gave it more credibility. The DataScope interface was similar to that of SecurityMetrics. It requested much the same information, as you can see in Figure F, and it performed the tests without displaying any kind of real-time progress meter in the browser.

Figure F
DataScope security audit

DataScope also sends a link to the results via e-mail, and, like SecurityMetrics, it uncovered a number of possible vulnerabilities. The audit report presented detailed information about each vulnerability and listed figures on the number of addresses scanned, the number of hosts detected, and the number of alerts (relating to vulnerabilities). Instead of grading security on an arbitrary pass/fail basis, DataScope’s audit merely presented data on what it discovered, along with details about the nature of each vulnerability. Icons indicated the severity of each vulnerability, with additional links offering complete audits for set fees. For example, DataScope reported the following two high-risk alerts associated with open ports:
Possible ASP source using ::$Data trick
Possible unicode directory traversal bug: allows arbitrary commands to be run

The fee DataScope quoted for conducting a complete audit to fix such vulnerabilities was $289.

Both SecurityMetrics and DataScope are in the business of making money from their services, so it’s no real surprise that their free audits point you toward their fee-based services. But both performed thorough audits of Internet security.

Final thoughts
Of the three products, I lean toward DataScope’s auditing tool because it scanned thoroughly and presented detailed information about the vulnerabilities it discovered. Although the SecurityMetrics tool also performed well, I preferred the matter-of-fact way in which DataScope presented its data. Instead of giving a pass/fail grade, it simply displayed the facts along with a severity indicator.

Shields UP is free and doesn’t push you to pay for additional services, but it didn’t seem to perform as thorough a scan as the other two products. It’s ideal for home users with broadband connections, however, and it might be helpful to advise your VPN users and telecommuters to take advantage of this tool.