Surveying Security Scanners
Let's start with a basic definition: A security scanner is a software program that systematically performs numerous tests, IP probes, and that checks for specific system or network vulnerabilities. In other words, this software works from a library of known protocol, service, operating system, application, and platform exploits, and attempts to find as many potential security weaknesses as possible. These tools have a dark side as well as a light one. Their dark side is that hackers can (and often do) use such tools to scan systems and networks for weaknesses that they might then proceed to exploit. Their light side comes into play when you use such tools preemptively to find (and block) such potential weaknesses before hackers can find and exploit them.
Within this general category, security scanners come in two primary forms:
Local scanning utilities, which you install and run on your computers, scan whatever networks and systems you direct them to examine on your behalf. Here, the analogy with anti-virus software is pretty close, in that just as you must regularly update your anti-virus software and the signature files it uses to scan for viruses, so also must you regularly update your security scanning software and the library of vulnerabilities it uses to check your systems and networks for potential weaknesses. There are numerous, excellent freeware and shareware local scanning utilities available, as well as many equally excellent commercial local scanning tools.
Subscription scanning services, which you sign up for and direct against your systems and networks, scan on a regularly scheduled basis. In fact, some of these services will automatically launch themselves against your installations at regular intervals; in other cases, you may have to make temporary screening router or firewall adjustments to grant these services access to your networks and systems that would otherwise be routinely denied. When you use an external scanning service, you put the onus on the service provider to update its library of vulnerabilities. In fact, such services are designed to make it safe to assume that any check performed always incorporates all the newest, most recently discovered attacks, exploits, and so forth into the library that's used to perform a security scan. Some security scanning services offer various plans to customers that vary in price according to the number, type, and frequency of vulnerability checks performed. Other services require their subscribers to initiate any scans they wish performed, to enable subscribers to distinguish a real attack from a routine scan.
Which form of security scan you choose will often depend on how much time and effort you have to devote to managing security on your networks and systems. Also depending on how important a rigorous security posture might be for your organization (and its systems and networks), you'll have to weigh the value of your time and effort against the associated costs of more frequent and highly automated security scans through a service subscription or a turnkey product.
For example Nessus has an outstanding Open Source (and hence, free) security scanning environment, for which an astonishing number of plug-ins (756 altogether) are available and ready to use. Nessus is able to scan all kinds of devices, such as firewalls and servers of many descriptions. It can also attempt many different kinds of attacks and offers a rich set of Windows scans and vulnerability probes.
Many security experts regard Nessus as better than or equal to any other security scanner available on the market, including commercial packages that can cost thousands of dollars. Under those circumstances, why might someone choose a different product? There are three primary reasons why Nessus will never entirely rule the security scanning world:
As an Open Source project, Nessus has a strong affinity with Unix in general, and Linux in particular. Although a Windows version has been built, it is not maintained on a par with the Unix version. Installing, configuring, and tweaking this software requires strong working knowledge of some version of Unix, plus the ability to compile and make complex execution environments.
Nessus itself is extremely powerful and sophisticated. Like other nonpareils (such as the equally excellent intrusion detection system called snort), Nessus takes time to learn, and requires constant effort to upgrade and maintain.
As a non-commercial product, Nessus is supported by its user community, not by a cadre of technical support professionals who can help you troubleshoot difficulties. For those with the skills and knowledge, Nessus is very attractive; for those who lack such knowledge and skills, or the time to put them to work, other options are often more attractive.
If this hasn't been enough to scare you away, you can grab your own copy of this software from www.nessus.org.