How to choose vulnerability scanning tools

  • Detail

How to choose vulnerability scanning tools

for a complex multi-layered system and network security planning, hidden danger scanning is an important element. Hidden danger scanning can simulate the behavior of hackers and test the system settings to help administrators find out the loopholes in the network before hackers attack. Such a tool can remotely evaluate the security level of your network, generate an evaluation report, and provide corresponding rectification measures

at present, there are many hidden danger scanning tools in the market, which can be divided into several categories according to different technologies (network-based, host based, agent-based, c/s), different features, different reporting methods, and different monitoring modes. The accuracy of vulnerability detection varies greatly between different products, which determines the effectiveness of the generated reports. Choosing the right hidden danger scanning tool is very important to improve the security of your system

1 overview of vulnerability scanning

in the dictionary, vulnerability means vulnerability or lack of adequate protection. In military terms, the meaning of this word is clearer and more serious ----- it is suspected of being attacked

every system has vulnerabilities. No matter how much money you invest in system security, attackers can still find some exploitable features and configuration defects. This is really bad news for security administrators. However, most attackers usually do simple things. Finding a known vulnerability is much easier than finding an unknown vulnerability, which means that most attackers exploit common vulnerabilities, which are documented in written materials

in this way, with appropriate tools, we can find out the weakness of the network before hackers take advantage of these common vulnerabilities. How to quickly and easily find these loopholes is very important and to enjoy independent intellectual property rights

vulnerabilities are generally divided into two categories:

① vulnerabilities caused by software compilation errors

② vulnerabilities caused by improper software configuration

vulnerability scanning tools can detect the above two types of vulnerabilities. Vulnerability scanning tools have appeared for many years. While security administrators use these tools, hackers are also using these tools to find various types of system and network vulnerabilities

2 measurement factors of hidden danger scanning tool

deciding whether to use hidden danger scanning tool to prevent system intrusion is an important first step. After you take this step, the next step is: how to choose the appropriate hidden danger scanning technology to meet the needs of your company, which is also very important. A series of measurement factors are listed below:

① underlying technology (for example, passive scanning or active scanning, host based scanning or network-based scanning)

② characteristics

③ the number of vulnerabilities in the vulnerability library

④ ease of use

⑤ characteristics of the generated report (whether the content is comprehensive, configurable, customizable, report format, output method, etc.)

⑥ analysis and suggestions on vulnerability repair behavior (whether to report only what problems exist and whether to tell you how to repair these vulnerabilities)

⑦ security (since some scanning tools not only discover vulnerabilities, but also further automatically exploit these vulnerabilities, will the scanning tools themselves bring security risks)

⑧ performance

⑨ price structure

2.1 underlying technology

compare vulnerability scanning tools. The first is to compare their underlying technology. What you need is active scanning or passive scanning; Is it host based scanning or network-based scanning, etc. Some scanning tools are based on the Internet, and are used to manage and collect server programs, which run on the server of the software supplier, rather than on the customer's own machine. The advantage of this method is that the detection method can ensure frequent updates, and the disadvantage is that it needs to rely on the server of the software supplier to complete the scanning work

scanning ancient cities can be divided into "passive" and "active". Passive scanning will not generate network traffic packets and will not lead to the collapse of the target system. The passive scanning tool can analyze the normal network traffic and can be designed as a "forever" detection method. Compared with active scanning tools, passive scanning tools work in a similar way to network monitors or IDs

the active scanning tool has more intention of "intrusion", which may affect the normal operation of the network and the target system. They don't run continuously, and they are usually tested at intervals

host based scanning tools need to install agent software on each host; Network based scanning tools are not required. Network based scanning tools usually need a special computer because they take up more resources

if the network environment contains multiple operating systems, you also need to check whether it is compatible with these different operating systems (such as Microsoft, UNIX, Netware, etc.)

2.2 some features concerned by administrators

generally, the vulnerability scanning tool completes the following? Functions: scan, generate reports, analyze and make suggestions, and data management. In many ways, scanning is the most common function, but information management and the accuracy of scanning result analysis are also important. Another aspect to consider is the notification method: will the scanning tool alarm the administrator when a vulnerability is found? How to alarm

for vulnerability scanning software, administrators usually relate to the following aspects:

① good report performance

② easy to install and use

③ which patches are missing can be detected

④ good scanning performance and the ability to quickly repair vulnerabilities

⑤ reliability of vulnerability and vulnerability level detection

⑥ scalability

⑦ easy to upgrade

⑧ good cost performance

2.3 vulnerability library

only when there is relevant information in the vulnerability library can the scanning tool detect vulnerabilities. Therefore, the number of vulnerability libraries determines the scope that the scanning tool can detect

however, quantity does not mean everything. The real test is whether the scanning tool can detect the most common vulnerabilities? The most fundamental is whether the scanning tool can detect those vulnerabilities that affect your system? The amount of useful scanning tools depends on the type of your network device and system. The purpose of using the scanning tool is to use it to detect vulnerabilities in your specific environment. If you have many Netware servers, the scanning tool without Netware vulnerability library is not your best choice

of course, the attack features in the vulnerability library must be upgraded frequently in order to detect the recently discovered security vulnerabilities

2.4 ease of use

an interface that is difficult to understand and use will hinder administrators from using these tools. Therefore, interface friendliness is particularly important. Different scanning tool software has various interfaces, ranging from simple text-based to complex graphical interfaces and web interfaces

2.5 scanning report

for administrators, the function of scanning report is becoming more and more important. In a document oriented business environment, you should not only be able to complete your work, but also provide written information to explain how you complete it. In fact, a scan may get hundreds or even thousands of results, but these data are useless unless they are sorted out and converted into information that can be understood by people. This means that ideally, the scanning tool should be able to classify and cross reference these data, import them into other programs, or convert them into other formats (such as CSV, HTML, XML, MHT, MDB, Excel, lotus, etc.), present them in different ways, and easily compare them with previous scanning results

2.6 analysis and suggestions

only half of the work is completed when vulnerabilities are found. A complete plan will tell you what measures will be taken against these vulnerabilities. A good vulnerability scanning tool will analyze the scanning results and provide repair suggestions. Some scanning tools integrate these repair suggestions into the report, while others provide links to product sites or other resources

vulnerability repair tool, which can be combined with popular scanning tools to make ◆ 1 It is used for plastic wood composite materials to summarize the scanning results and automatically complete the repair process

2.7 accuracy of analysis

only when the results of the report are accurate, the repair suggestions provided are effective, and a report containing detailed vulnerability repair suggestions is an excellent report. A good scanning tool must have a low false positive rate (the reported vulnerability does not actually exist) and a low false negative rate (the vulnerability exists, but it is not detected)

2.8 security issues

the economic losses caused by network paralysis caused by scanning tools are the same as those caused by real attacks, which are very huge. After discovering vulnerabilities, some scanning tools will try to further exploit these vulnerabilities, so as to ensure that these vulnerabilities are real and eliminate the possibility of false positives. However, this approach is prone to unpredictable situations. When using scanning tools with this function, the tighter the binding, the looser it will eventually become, which drives the development of these energy-saving and environmental friendly building materials and related manufacturing technologies. It is necessary to be extra careful, and it is best not to set it to automatic operation

another reason why scanning tools may cause network failure is that during scanning, overloaded packet traffic causes denial of service (DOS). To prevent this, you need to choose the appropriate scanning settings. Related setting items include: number of concurrent threads, packet interval, total number of scanned objects, etc. these items should be able to be adjusted to minimize the impact of the network. Some scanning tools also provide templates for "security scanning" to prevent the loss of the target system

2.9 performance

when the scanning tool is running, it will occupy a lot of network bandwidth. Therefore, the scanning process should be completed as soon as possible. Of course, the more vulnerabilities in the vulnerability library, the more complex the scanning mode selected, and the longer the scanning time. Therefore, this is only a relative value. One way to improve performance is to deploy multiple scanning tools in the enterprise, feed back the scanning results to a system, and summarize the scanning results

3 price strategy of hidden danger scanning tools

commercial scanning tools usually issue licenses in the following ways: by IP address, by server, and by administrator. Different licensing methods are different

3.1 authorize by IP segment

many scanning their products, such as retina and ISS (Internet Security Scanner) of eye, require enterprise users to charge according to IP segment or IP range. In other words, the price depends on the number of scannable IP addresses authorized

3.2 license by server

some scanning tool suppliers calculate the license price according to each server/workstation. The licensing price of servers will be much higher than that of workstations. If there are multiple servers, the price of scanning tools will rise significantly

Copyright © 2011 JIN SHI