Security and vulnerability scanners look ideal tools for hard pressed administrators as they can take the strain out of identifying leaks and weaknesses in your network. Internet Security Systems (ISS) offers a family of four such products designed to root out and plug these holes before they can be exploited.
Options are available for scanning databases, server systems and wireless networks. The Internet Scanner 7 (IS7) on review here looks after the online part of this equation. As with the majority of ISS's products, IS7 is designed to integrate with the company's SiteProtector management console but it can function just as well on its own. This latest version sees a host of new and welcome features and a new modular approach.
Various components from the previous version have been separated out into more manageable chunks. Whereas before you had a single product that managed and scanned the network from a single interface, you now have a separate console and sensor modules. IS7 uses policies to determine what it should be looking for and these can be created or modified by a separate editor. Installation is relatively simple but note that the IS7 cannot be installed and executed on Windows Server systems and can only run on Windows NT Workstation, 2000 Professional or XP Professional. Furthermore, ISS recommends that the host system is dedicated to the task of scanning the network.
You begin by opening a session and entering the IP addresses you want scanned. You can add individual addresses, address ranges and a mix of both, or direct IS7 to a simple text file. A policy then needs to be associated with the session and you can start scanning straight away by using one of sixteen predefined policies. In general, the best procedure is to run a discovery scan first to identify the systems on your network and then fire up an assessment scan on selected systems. Discovery policies start with a 'light discovery' routine that merely scans the network and gives an overall view of the systems encountered, the installed operating systems and the services running on them.
Assessment policies cover areas such as general server, desktop, firewall, router and switch security right up to denial of service (DoS) tests on web servers and checking the top ten exploits on Windows and UNIX systems. Using the Editor, we found policies extremely easy to create as you can take a blank one and simply check the boxes for the tests you want to run. For example, if you wish to highlight any password weaknesses just select the 'vulnerabilities' tab and check the relevant boxes for NT password tests. Although we found IS7 very simple to use, and reporting extensive, we were disappointed to find a number of shortcomings.
Our test network included two Windows Server 2003 systems and IS7 first identified these as running Windows XP and then failed to find any of our deliberate and very obvious security holes. Strangely enough, IS7 did report on the fact that the SQL Servers running on both 2003 systems had no SA passwords assigned so it didn't ignore them completely.
Overall, we found OS identification disturbingly inaccurate as it reported that a Windows ME system was running Windows 95. When contacted, ISS was unable to shed any light on the Server 2003 problems but did point out that IS7 is only designed to scan workstations running Windows NT, 2000 and XP. Even so, it's hardly rocket science to figuring out which OS a system is running. Furthermore, the console has a tab for OS revisions and IS7 failed to provide information on any of our nine test systems. On a brighter note, IS7 spotted all our deliberate mistakes on the Windows 2000 systems and even pointed out that a number of key patches had yet to be applied. Overall, we found IS7 worked well on our Windows 2000 and XP systems, delivering an impressive arsenal of scanning tools that'll find the weakest link in your network. However, the lack of support for Windows Server 2003 in a software product released two months after Microsoft's OS is hard to fathom.
The credentials of network security scanners need to be impeccable as you could be placing the integrity of your entire network in their hands. While IS7 delivers a fine range of vulnerability checks, easily customisable policies and top reporting tools, the lack of support for Windows Server 2003 and sloppy OS identification leaves an uncomfortable element of doubt.