Wednesday, November 22, 2006

Performance Analysis: Network Security Scanners

PC Magazine Labs has taken an in-depth look at the six network vulnerability scanners in our roundup, as well as the tools included in our sidebars (the Foundstone FS1000 Appliance, Microsoft Baseline Security Analyzer (MBSA), Nmap, and Stealthbits Technologies' StealthAudit). When we tested how well they could catch basic network vulnerabilities, all the scanners performed adequately. But the quality—and more important, the ease of use of the reports the products generate—varied significantly.

Our test network comprised a Linksys BEFVP41 router and a mix of Microsoft Windows clients and servers (Windows 98, 2000 Workstation, 2000 Advanced Server, and XP). We also deployed Linux hosts (Red Hat 8 and 9 Professional, SuSE Enterprise Server 8, and SuSE 8.1 Professional) to test each application's cross-platform capabilities.

We updated all systems with all appropriate patches, but we did not fix a select number of critical vulnerabilities on the target hosts. On our Windows hosts we left vulnerabilities described in Microsoft Security Bulletins MS03-039 (Buffer Overrun In RPCSS Service, CAN-2003-0715, CAN-2003-0528, and CAN-2003-0605) and MS03-041 (Vulnerability in Authenticode Verification, CAN-2003-0660). Under the right circumstances, both can let hackers execute code on target systems.

We left our Linux machines vulnerable with an exploitable version of OpenSSH (CAN-2003-0682, CAN-2003-0693, and CAN-2003-0695), a file share (/usr) exported with no access restrictions (CAN 1999-0554), and a denial-of-service vulnerability in the Unix Domain Name Service BIND 9.1.3 (CAN-2002-0400). Such Linux vulnerabilities can create a severe security risk, compromising your network and data.

All the products correctly identified the Windows vulnerabilities, and their reports included references to the appropriate Microsoft Security Bulletins. But the Linux vulnerabilities posed a bigger challenge to some of the Windows scanners.