As any network and security manager knows, new vulnerabilities are constantly being discovered and threats against corporate networks are getting increasingly sophisticated. Proactively scanning for vulnerabilities can help identify weaknesses before they become damaging to enterprise IT environments.
Vulnerability scanners are products that regularly analyze networks and network devices and then present results to users in reports that enable them to respond quickly to potential problems. Network-based scanners look for vulnerabilities such as firewalls that have been configured incorrectly or servers that might be susceptible to Web-based threats. (These tools can help create layered defense when used in conjunction with network behavior analysis software.)
"At the 100,000-foot level, most network vulnerability scanners do pretty much the same thing: scan networks of computers, either externally or internally, to determine what hosts are running on the network and the characteristics of those hosts," such as IP address, operating system and applications that are running, says Paul Roberts, senior analyst in the Enterprise Security Practice at The 451 Group. Scanners accomplish this by sending out network traffic in a variety of formats, Roberts says.
"For example, simple PING trace features, which send out ICMP (Internet Control Message Protocol) echo request packets, might be used to determine just what hosts are on a network [or] which IP addresses in the IP address space used by the company are taken," he says. "Once hosts have been profiled, they can be probed for known vulnerabilities, configuration issues and so on."
Newer features include the ability to support enterprisewide, distributed scanning and to manage that centrally, says Chenxi Wang, principal analyst at Forrester Research. Also emerging is the ability to support some kind of risk analysis as "preprocessing" to scanning, which allows organizations to differentiate various classes of assets, she says.
Another trend is the emergence of "in the cloud" scanning services. In addition, "established [vulnerability] scanning firms are and will be bolstering their Web application scanning capabilities," Roberts says. "Otherwise, features that ease reporting and management seem key. Integration with back-end user directories to make access to [scanning tools] easier and reports geared to compliance are much in demand."
Here are steps to take when evaluating, buying and deploying these products:
1. Consider a variety of factors, not just cost and scanning capabilities, when selecting products. Experts say it's wise to look at a number of key areas before investing in a scanning product.
"A lot of it depends on your organization and what your priorities are," Roberts says. "Is cost/affordability the most important thing to you [or] do you need something that can scale across a large network with thousands of endpoints? Is compliance your main driver here or is this part of a more general effort to improve your security posture? Do you have some larger policy store [that] this needs to integrate with or will this be a standalone operation? Are you Windows only or Windows plus Linux, Mac, Unix, etc.?"