Re: Online Scanning Services Vrs. Stand Alone Applications

[oherrera <oherrera () Prodigy Net mx>]

Hi Alfred,

I did some research on this for my former employer; the
results are not online though but I will commment:

Main disadvantages:
a)the level of intrusiveness and information leaks. With
online scanners you will end with someone else (third party)
having detailed information on your vulnerabilities. This is
simply not an option for some financial and governamental
institutions (they require full control).

b) With most products you end up with scanning probes
comming through the net from and to fixed points. If someone
in between is listening it may discover the types of attacks
and even the results (for example your ISP or the ISP of
your online scanning provider). There are alternatives such
as scan engines appliances which is the case of Qualys, I'm
not sure of Vigilante or FoundStone's FoundScan but it
probably is too. With these appliances the scanning process
takes place inside your borders and results are then sent
encrypted to the provider; there is no much "online" on this
process though but I believe it is more secure and also
allows you to scan internal server in security zones.

c) You are limited to scan only servers visible from the
outside

Main advantages: scan frecuency and correlation. The idea
behind online scanning is doing scans as frequently as
possible. Instead of scanning your servers once a month you
could do it almost daily. This allows you to use the
scanner's results with the patch management process (it will
tell you what was patched and when). Also, by reducing the
time gap you are able to react faster; In a worst case
scenario with traditional scanning (say you scan your
servers once a month), a new vulnerability might arise the
day after your last scan. You either do another scan after
upgrading your scanner's signatures or wait until the next
month.

With the appliance technology I believe that the advantages
are mantained while the disadvantages of traditional online
scanning are reduced.

I hope this helps...

Omar Herrera

> Hey all,
>
> I have a question, which is two fold. First can anyone
> point me to comparison articles of online scanners (such
> as Foundstone) vrs. standalone applications such as ISS? I
> am looking for technical comparisons not a treatise on the
> benefits of someone managing your scanning for you or not.
>
> The second part of the question is, are their any
> technical advantages between the two setups? I understand
> this overlaps with the first question but I ask this after
> having searched for good writeups and came out with very
> little.
> -al
>
>
> Alfred Huger
> Symantec Corp.
>
>
> ----------------------------------------------------------
> ------------------ <Pre>Do you know the base address of
> the Global Offset Table (GOT) on a Solaris 8 box? CORE
> IMPACT does.</Pre> <A
> href="http://www.securityfocus.com/core";>
> http://www.securityfocus.com/core</A>

----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core";> http://www.securityfocus.com/core</A>