Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Scanner Comparison

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    Scanner Comparison

    This is a fairly decent comparison of the major players in network scanning. It's certainly worth a look but keep in mind that some of the info in here is certainly debatable as well.

    http://www.infosecuritymag.com/2003/mar/cover.shtml

    Hope this helps!

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Interesting. I've never heard of Internet Scanner until now. I'm also curious as to why NMAP wasn't considered (at least for mapping). I'll have to check out ISS. They've always made decent products. Yet another one by them.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    It was a fairly interesting read, but I wonder how much effort they spent in tweaking their configurations before they ran the scanner...depending on what settings you use, it can make or break the effeciency with which you scan and the number of false positives that you encounter. I have used both the scanners that they rated pretty highly and they are both pretty comparable and fairly reliable.

    I would give the edge to ISS however because it generally is much much faster at scanning (especially for a large number of addresses), and if properly setup, has less false positives (or at least that is what I have found, contrary to the article). I have also found the reporting to be much better and more professional; however, there are two major drawbacks to ISS, their licensing (which to their credit I think they are changing, but it used to be you could only scan the same IP twice in a year, and that you have to apply for the key everytime you want to scan (longest I saw was a 30 day key) and their cost...

    I also noticed that nessus typically does a better job of updating the signatures or attacks that it checks for. You can usually find a check for a vulnerability much sooner at nessus than you will from an ISS XpressUpdate (which is how ISS updates it); however, brownie points for ISS is that it is updateable on the pressing of a button...

    The last thing that kind of struck me funny, is their saying that the scanners acted oddly when encountering non-standard ports. I have yet to see a single one that did very well in this category, even when told about the service...

    If I had to make a recommendation, I would say nessus for small to medium size networks, and if you could afford it, ISS for a large one (the cost is ghastly)...

    My $0.02 worth...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    Originally posted here by MsMittens
    Interesting. I've never heard of Internet Scanner until now. I'm also curious as to why NMAP wasn't considered (at least for mapping). I'll have to check out ISS. They've always made decent products. Yet another one by them.
    ISS is known for their flagship product RealSecure, but I know Internet Scanner has been around for quite some time. It's a scanner which produces great reports, but IS 6.21 engine is never updated since last year -- now they're releasing IS 7.0 beta.

    As for nmap, Nessus is based on nmap, isn't it? And since we're talking about scanner comparison, see also this Remote Scanning Utilities for Microsoft Hot Fixes and Service Packs comparison (September 25, 2002 but I think still up to date).

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yes, Nessus does use nmap to port scan.

    We take a layered approach to scanning. We use a combonation of the tools listed in the article. To date, this method has produced very good results. Our method tends to give you a better idea of the vulnerabilities out there.

    Oh yeah, the ISS license fee is INSANE (as mentioned above). We have a site license and the price tag was staggering.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    130
    thehorse13:

    Thats interesting, when we spoke to ISS they flat out refused to give us a site license and wanted to charge us 'per ip address' for the whole class A address space... erm I think not. Needless to say we are looking for other solutions now!

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    UKnetSec, you might want to ask again if you haven't talked to them in a couple of weeks. They have just adjusted their policies on keys and the like so that it readily more easily integrates with their new RealSecure integration line (Site Protector). It has always integrated, but the scanner keys would always expire after 10 or 30 days, depending on what you selected when you downloaded the key. I think we had to talk to them a few times and once we made it really clear that we weren't paying by IP, we got a site license, but it was atrociously expensive.

    And to answer the question about nessus and nmap, yes, nessus has an nmap engine built into it to do the initial scan of ports/computers, and it is tweakable (the options passed to nmap) from just about every GUI I have seen for nessus (there are at least three...).

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    UKNetSec,
    Yes, you can get an ISS site license. I don't believe there are restrictions on licensing outside the US as I see that you are from the UK. The best thing to do is call in to sales and ask about the requirements for a site license. We have 10,000+ nodes so we were able to negotiate to get one. I can't imagine why they would have tried to screw you so hard with a "per seat" price but on the flip side, the tech sector is bleeding out the a$$ right now and you'd be surprised what SEs (sales engineers) will offer you in order to close a deal.

    Yes Nebulus, nmap is integrated with Nessus. The interesting thing about the article is that the testers did not bother to set the range in Nessus so when they praise other scanners for finding services on unusual ports, they seem to miss the fact that by default, Nessus will only scan the privileged port range (1-1024). If they would have set this option, Nessus would have done the same as the others. Ya have to really look into tech articles these days. Most of them are lacluster at best.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    130
    nebulus200 & thehorse13:

    Guess I was having a stupid moment this morning, we were trying to get a multiple site license, we have thousands of sites all connected by WAN links, probably 100 000 hosts or more. We wanted some testers to take the software out on their laptops and scan the sites as required, but they want to charge us per IP address. That gets kinda expensive when you have 16 million or so possible ones, even though most of them aren't used. Even site licensing would be kinda crazy since there are hundreds, guess I will have to stick with Nessus huh ??

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    A 'Site' license is not restricted by IP...it is restricted by the number of times you are supposed to be able to scan the device...You shouldn't have had any problems there...I currently use ISS for a large number of addresses (over a global network), and have no issue, and no issue with the number of installations of ISS, the thing that it revolves around is that valid key...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •