eEye Retina

[Aspman]

We've just been given the opportunity to get a bit more cash and we were thinking about buying Retina as a Vuln scanner.

We're going to download a trial and try to review it but we're short on time. Got to apply for the funding within 2 weeks.
Does anyone have any experience of this product that they can share (good and bad).


TIA

[Katja]

What is Retina? (Well, some part of the eye, of course, but what else?) Do you have some useful link?
Have you tried Google and Wiki for more information about this product?

[Aspman]

Retina is a network vulnerability scanning tool from eEye .

It's a well known tool and reasonably well regarded. I can google for reviews easily enough but I'd rather get some comment from actual users rather than reviewers. Some issues with complex products suchas this only crop up after an extended period of use. I don't have time to learn the tool as well as I would like so I'm looking for as much information as possible to speed up the process.

We've been told of an underspend in our service budget so we're looking to grab £5k for Retina but we only have 2 weeks to justify getting the money (plus all our other work).

You certainly have a very polite way of saying http://just****inggoogleit.com/

[zENGER]

Retina is the tool prefered by DISA for vuln scanning. Retina has a good number of high end features that I know about but haven't used yet. I have used it as a stand alone scanner and it does that very well. The features I haven't used are its ability to store the results into a database, compare those results, and to assign the tasks needed to mitigate those findings all through the software GUI.

Hope this was helpful.

[dinowuff]

When I was evaluating for packet inspection / asset tracking and vulnerability scanning, I tried Eeye suite including Retina.

My thoughts were Eeye products had too much overhead, the API's constantly babbled across the network.

Good product - does what it says. The learning curve is high so you, or the retina admin, will need a few months to get a handle on all the "Features"

In the end I went with Websense. I already had a Cisco PIX and Concentrator, So the Websense PIX integration fit my needs best.

If you already have IDS - Check out Websense if you have time. Usually folks want comparison stuff anyway.

[Katja]

I've always learned to be polite, yes. But I always advise people to try http://www.wikipedia.org/ too. These Wiki pages are getting better and better and chances are that someone did write an article about this kind of software there. Now, you've probably looked at Google but have you also wiki'd it?

To be honest, when people ask me what the best thing in network security is, I always tend to reply with "common sense". Relying on third-party tools does make your system more secure in many cases, true. But what if those third-party applications introduce their own weaknesses? Besides, keep in mind that you will have additional costs. Someone will have to spend time learning to use this tool in the proper way, which could end up becoming more expensive than the product itself. This person will need to have good knowledge about security risks and how to identify them, helped by this tool. He has to know how to make things more secure and above all, he must have proper authorities to take action against any weak point in your network.

As you say, you're trying to learn as much as possible to learn about this tool. But as dinowolf already says, the learning curve is pretty high so there will be an additional cost of you or someone else just learning to use it instead of doing your normal job. I don't know if you could justify that in your budget, though...

[Aspman]

Good points but...it IS my job to learn, evaluate and use these tools and I'm expected to do so.

Common sense is always good but I can't check 300 servers (MS, Unix, Linux, Citrix and Sun) manually for the thousands of patches that should be applied plus all the possible misconfigurations that could occur and keep up to date with all the new exploits.

Your thinking is sound its just different in reality here. We are also recommended (recommended with a big or else in the background) to have software carrying out these scans by some of the regulatory guidelines we have to operate under. Plus the cost, in enterprise terms, is small beer but we don't have sufficient funds in the infosec budget to get it this year.

No I haven't wiki'd for info

Dinowuff - we've got Enterasys Dragon going in right now for IDS but it's semi-functional right now so I'll check out websense too.

[cobain_attacks]

you might want to think about the company's stability, they just laid off 80% of their workforce INCLUDING the COO. They don't seem all that stable at the moment

http://comments.****edcompany.com/fc...hp?search=eeye

[Lv4]

I currently use Retina at my work. It is a pretty decent system, and if there are problems (like we had recently with scanning UNIX boxes) they are fast and quick to respond. I had a senior tech on the phone within 10 minutes of submitting a ticket.

As far as how good it is. Well no single tool will be the end all solution. They do a great job with updating their signatures/vulnerabilities, but I still use nMap to verify the ports that Retina finds, and I use Nessus in conjunction to cover all the bases. You can easily set up scheduled jobs to scan for you... this is what I do and I scan about 250ish servers every month and constantly check out single/new ones as they come on line.

Give them a try, you can download a full evaluation from them. Let them know that you need something more than the regular evaluation copy though, tell them you need a 32 IP license so you can scan a bunch of boxes.

Also it is going to be costly, I think the 32 IP license is around $1200 and it scales from there. Don't forget to write in the yearly maintenece costs in your justification as there is a recurring charge.

cobain_attacks that is the first I have heard of that bit of news. I was just working with their folks last Thursday/Friday and I have a concall with them tomorrow. Even with these layoffs they responded very fast to my ticket.

If you have more specific questions feel free to ask. I'll answer them as I can.

[ric-o]

Aspman:

I use Retina at work and it's a great vulnerability auditor. It works best against Windows systems but does check others as well as network devices. They won many awards a few years back and rightfully so.

Some pros:
* Pretty thorough
* Good point-and-click type of tool for folks who dont have tons of time to do auditing

Some cons:
* Reports are weak, very little customization can be done.
* Not an enterprise-class type of tool in the way of managing it.

If you couldn't tell already - I recommend it!

<edit>
Good note Lv4 on the yearly maintenance: without it the product starts becoming useless at the time of expiration because you'll stop getting exploit/audit updates. You gotta have the maintenance for new vuln testing.

One other comment is that we use Retina in a layered audit architecture - it's just one of many tools we use. Others include Nessus, Metasploit Framework, N-Stealth, and other smaller tools.
</edit>