Bringing Security Issues Into Focus
eEye's network security scanner helps you find the
chinks in your system's "armor."
- By Chip Andrews
By helping systems administrators identify holes
in their networks' "armor," security scanners
play a vital role in any serious security policy.
Security scanners probe machines or groups of
hosts, seeking potential security breaches, then
present administrators with reports detailing
found weaknesses and how to patch them. Retina/The
Network Security Scanner is eEye Digital Security's
entry into this competitive market.
eEye describes Retina as highly modular, with
four main modules making up the current release:
scanner, miner, browser and tracer. The scanner
(amazingly enough) is the module tasked with probing
machines for vulnerabilities and reporting the
results. It accepts a host or range of hosts and
works its "magic," with eEye stating that the
scanner doesn't take information gleaned from
a host at face value. Instead, the scanner performs
its own checks to confirm whether services listening
on certain ports are what they claim to be. I
found this scanner simple to use, and even novice
users should be scanning systems in mere seconds.
The Retina miner is a component designed to "act"
like a hacker in attempts to penetrate your systems,
using artificial intelligence techniques known
as CHAM (Common Hacking Attack Methods). This
component is an application-level scanner that
probes for vulnerabilities in Web, mail, and FTP
servers and applications based on information
gleaned from the system. eEye claims that the
miner module can find vulnerabilities not yet
known in servers and applications. Retina was
unable to find any in the system I scanned and
the amount of probing it did was impressive.
Retina's browser is significantly less interesting
than the scanner and miner modules. In essence,
this module allows the user to browse the Internet
using the Retina interface. Yawn. I don't see
any value here, with the possible exception of
an Explorer-like tree view that the browser provides
of all hyperlinks on a page. To me, this module
seems more show than substance.
The application's tracer module also is fairly
useless, offering little more than a graphical
traceroute. It provides even less useful information
than its command-line counterpart, tracert." If
you implement Retina, I doubt you'll want to use
the browser or tracer modules for serious information
gathering. They are, however, examples of how
the product can be expanded in the future, becoming
more of a unified toolkit as opposed to being
just another vulnerability scanner.
|Though its reporting capabilities
are a bit light, Retina is characterized by
strong technical ability, making it a solid
network security scanner. (Click image to view larger version.)
When I delved into Retina's reporting features,
I was disappointed. The app only produces HTML
reports (with various levels of detail for technical
folks or executives). It would be nice to be able
to save the reports to a file (of course, you
do this with your browser) or in some type of
comma-separated file for import into other applications.
When Retina finds a vulnerability of a configurable
level of importance, alerts are available by sound,
e-mail and pop-up messages.
On the positive side, Retina's interface is stable
and easy to understand. The application's vulnerability
engine is quite up-to-date and is able to detect
some issues that many other products miss. Retina
possesses rapid scanning capability and the scanner
and miner produce results in real time, so you
see right away where security holes exist. Though
it's a bit light on the reporting end, in terms
of technical ability, Retina is strong; I can
solidly recommend it as an easy-to-use network
About the Author
Chip Andrews, MCSE+I, MCDBA is a software security architect at (Clarus Corp.). Chip maintains the (sqlsecurity.com) Web site and speaks at security conferences on SQL Server security issues.