Re: NT Host Vulnerability Scanners

[Talisker () networkintrusion co uk (Talisker)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
M

Correct me if I'm wrong but WebTrends (formerly Asmodeus) and ISS System
Scanner, install agents on the distant machine, this is something I'm trying
to avoid.  The Tripwire product is a File Integrity Checker, and whilst able
to highlight that an attack has occurred, isn't capable of detecting
vulnerabilities to prevent the attack taking place.

With regard to testing I agree wholeheartedly.  However, a short trial can
often reveal showstoppers that may negate the need for a full blown trial on
a given product.  My aim is to:

1  Get some background on the products, from the experience of others (I
realise this information is often subjective rather than objective) to get a
feel for the products and possibly the heads up on a show stopper.  The
inter-vendor discussions in the first qtr of this year was excellent for
this:o)

2  Shortlist a few products for a short trial ie 4-6 weeks.

3   Isolate one or more preferred choices for an extensive trial of a few
months.  From experience I don't like to test multiple products
simultaneously to this level, for a variety of reasons, not least having to
keep the Sys Admins of the networks I'm using, sweet, they lose patience if
I'm in their hair too much, also I don't want to introduce more software
than I really have to.

4   At the end of the day I'm not a test house, I'm looking for a working
solution.  That said I still wish to have visibility of every feature of
every product so that I can recommend the best solution for the problem.

Oh and IMHO vulnerability scanners aren't nearly as interesting as IDS, so
the quicker I find a solution the quicker I can concentrate on IDS  ;o)

Take care

Andy

www.networkintrusion.co.uk

----- Original Message -----
From: <mht () clark net>
To: "Talisker" <Talisker () networkintrusion co uk>; <ids () uow edu au>;
<FOCUS-IDS () securityfocus com>
Sent: Sunday, July 16, 2000 3:00 AM
Subject: Re: IDS: NT Host Vulnerability Scanners

> WebTrends, ISS and TripWire have products available that sit and assist in
> baselining a particular system based on attributes a user selects or
> adhering some policy that compares the system against a standard or custom
> policy.
>
> Agents sit on a particular host monitoring for certain things and report
> back to a central console..
>
> It really depends on the scope of your test.  A live trial in my mind last
> for months on end, and encompasses at least a class 'B' network with at
> least variants from every single type of operating system available plus
> some common apps that may be running.
>
> My type of testing is similiar to those Road & Track testing.. First
month,
> person gets the car, drives around a bit, a couple of months in the car,
> things start to come loose, shake , vibrate things like that.
>
> A week or two of testing may not be enough
>
> /m
>
> \At 10:02 PM 7/15/00 +0100, Talisker wrote:
> > Hi all
> >
> > I'm currently looking at host vulnerability scanners for NT networks, my
> > main requirement is for a tool that doesn't require an agent to be
> > installed, so far I've found STAT and SecurityExpressions (thanks
> > Fernando) both tools seem similar but before I set them against each
other
> > on a live trial, I'm hoping once again to feed upon the experiences of
the
> > list, I'm looking for the following:
> >
> > 1.   Is there a great advantage of using agents on each host.
> >
> > 2.   Has anyone used either of these products and if so what did you
think.
> > 3.   Are there any other products that will achieve the same aim, at a
> > comparative cost.
> >
> > Product information can be found on my host scanner page at
>
> <http://www.networkintrusion.co.uk/h_scan.htm>http://www.networkintrusion.c
o.uk/h_scan.<http://www.networkintrusion.co.uk/h_scan.htm>htm
> > Thanks in advance
> >
> > Andy
>
> <http://www.networkintrusion.co.uk>www.networkintrusion.co.<http://www.netw
orkintrusion.co.uk>uk
> >                     '''
> >                  (0 0)
> >   ----oOO----(_)----------
> >   | The geek shall        |
> >   |  Inherit the earth     |
> >   -----------------oOO----
> >                |__|__|
> >                   || ||
> >               ooO Ooo
> >
> >
> > The opinions contained within this transmission are entirely my own, and
do
> > not necessarily reflect those of my employer.