[9518] in bugtraq
Re: ISS Internet Scanner Cannot be relied upon for conclusive
daemon@ATHENA.MIT.EDU (Phil Waterbury)
Fri Feb 12 17:24:02 1999
Date: Thu, 11 Feb 1999 15:30:06 -0500
Reply-To: Phil Waterbury <pwaterbury@ICSA.NET>
From: Phil Waterbury <pwaterbury@ICSA.NET>
To: BUGTRAQ@NETSPACE.ORG
Hi,
I know that this thread might be killed soon so I wanted to throw in my .02
cents.
I think that there is some misconceptions about vulnerability scanners in
general that are being brought to the point.
What is the market space and typical use of these products? I would say
that most users of scanners don't have the time/expertise to perform all
known probe/hack/cracks on their systems. Also I would say that people use
these scanners in production environments. That is an important point, it
is easy to bash ISS, NAI, Cisco, Axent, etc. that they don't do what they
say (because they don't execute the exploit) but if you are in a production
environment you may very well want to know that your mail server is
vulnerable but you are *not* willing to crash it or suffer some unknown
ailments from an improperly guessed offset. It is a trade off. Using a
vulnerability scanner is a RISK REDUCTION not ELIMINATION.
I think another misconception is about using vulnerability scanners in a
"penetration testing role". I personally don't think they work in that
role. The e-mail that started all of this is a prime example. I don't
think that it is ISS' fault that they didn't detect a faulty router, hell,
I would be very impressed if *any* scanner found problems in Digital Unix,
AIX, OS/400, etc (besides general UNIX issues). As David alluded to, it is
a balancing act between what the market wants (in this case NT and general
network checks) and what they have time to build in (in order to be
somewhat current with their checks). You can use them effectively but you
need to understand what they do (and in some cases don't do).
I think that if you have strong feelings that the product should have
detected this problem by all means talk to the vendor. I understand that
tech support didn't give you the answer you wanted (and normally don't) but
developers of these products are everywhere, David doesn't post from his
business e-mail any more but a quick search would probably yield his
e-mail. Most vendors would *love* to add checks to their scanners (for
Marketing) so if you lay it out in detail the how/why/what I am sure they
will add it. Also look around for scanners that do what you need, it is a
buyers market.
It is very interesting to take a scanner and on a quiet network watch what
it does. You will learn alot. Like syslog on port 520 ;-)
Phil
New multiplatform security scanner, works on Unix, NT, 98..... netstat
-a.... woo woo.
Phil Waterbury <pwaterbury@icsa.net>
Network Security Lab Analyst
ICSA, Inc.
