6 of the Best Free Network Vulnerability Scanners and How To Use Them
Every day, security researchers and hackers discover new vulnerabilities, augmenting the tens of thousands of known holes in applications, services, operating systems, and firmware. A vulnerability scanner provides automated assistance for tracking known vulnerabilities and detecting your exposure to them. We’ll review several of the best free network vulnerability scanners.
Who needs a network vulnerability scanner?
Any network beyond the smallest office has an attack surface too large and complex for purely manual monitoring. Even if you are only responsible for a few hosts and devices, you need automated assistance to efficiently and thoroughly track the burgeoning list of known vulnerabilities and ensure that your network is not exposed.
Nowadays most operating systems provide automated software updates. For a small organization, that may be sufficient. But how much of your installed software does that cover? And what of misconfigured services or unauthorized software that has popped up in your network?
The “hack yourself first” adage suggests that any host or device exposed to the internet should be penetration tested, and the “defense in depth” principle says that even “internal” hosts and devices must be audited regularly.
A vulnerability scanner provides automated assistance with this. Like many network administration tools, a vulnerability scanner has both legitimate and illegitimate uses. It can be helpful to the system administrator, developer, security researcher, penetration tester, or black-hat hacker. It can be used for assessing exposure in order to secure your network, or for seeking viable exploits to enable breaking into it.
How does a network vulnerability scanner work?
A vulnerability scanner relies on a database of known vulnerabilities and automated tests for them. A limited scanner will only address a single host or set of hosts running a single operating system platform. A comprehensive scanner scans a wide range of devices and hosts on one or more networks, identifying the device type and operating system, and probing for relevant vulnerabilities with lesser or greater intrusiveness.
A scan may be purely network based, conducted from the wider internet (external scan) or from inside your local intranet (internal scan). It may be a deep inspection that is possible when the scanner has been provided with credentials to authenticate itself as a legitimate user of the host or device.
Vulnerability management
Vulnerability scanning is only one part of the vulnerability management process. Once the scanner discovers a vulnerability, it must be reported, verified (is it a false positive?), prioritized and classified for risk and impact, remediated, and monitored to prevent regression.
Your organization needs a process – more or less formal – for addressing vulnerabilities. A vulnerability management process includes scheduled scans, prioritization guidance, change management for software versions, and process assurance. Most vulnerability scanners can be part of a full vulnerability management solution, so larger organizations need to look at that context when selecting a scanner.
Many vulnerabilities can be addressed by patching, but not all. A cost/benefit analysis should be part of the process because not all vulnerabilities are risks in every environment, and there may be business reasons why you can’t install a given patch. Thus it’s useful when remediation guidance from the tool includes alternative means (eg, disabling a service or blocking a port via firewall).
Features to consider
When choosing a vulnerability scanner there are many features to evaluate.
- Is the scanner network-based, doing host/device discovery and target profiling?
- What is the range of assets it can scan – hosts, network devices, web servers, virtual machine environments, mobile devices, databases?
- Does that fit your organization’s needs?
- Is its vulnerability database comprehensive and a good match for your network’s platforms? Does the database automatically receive a regular feed of updates?
- Is the scanner accurate in your environment? Does it swamp you with uninformative low-level results? What is the incidence of false positives and false negatives? (A false positive entails wasted effort to investigate, and a false negative means an undetected risk.)
- Is the scanner reliable and scalable?
- Are the scanner’s tests unnecessarily intrusive? Does scanning impact hosts/devices thereby slowing performance and potentially crashing poorly-configured devices?
- Can you set up scheduled scans and automated alerts?
- Does it provide canned policies (e,g. for particular compliance regimes)? Can you define your own policies?
- Are scan results easy to understand? Can you sort and filter? Can you visualize trends over time? Does it provide useful guidance about prioritization?
- Does it help with remediation? Are the instructions clear? How about automated remediation through scripting? Does it provide, or integrate with, automated software updating services to install service packs and patches?
- What is the range of canned reports it provides, and what is their quality? Does it provide any compliance reports you need? Can you easily define your own report formats?
Caveats
The vulnerability scanner is only one source of information and is not a replacement for having knowledgeable staff.
Like many network administration tools targeted at enterprises, a high-end vulnerability scanner tends to be expensive. Good no-cost options are available, but many are limited in the size of the network they’ll handle, and all entail the cost of paying staff to learn the tool, install and configure it, and interpret its results. Thus, you should evaluate whether paying for more automation and support may be cheaper in the long run.
Installing a scanner can be complex, and likely the scanner will initially grind for a few hours to fetch updates to its vulnerability database and preprocess them. Also, depending on the number of hosts and the depth of the scan selected, a given scan can also take hours.
Here’s a list of the 6 best network vulnerability scanners:
- SolarWinds Network Configuration Manager (FREE TRIAL)
- OpenVAS
- Microsoft Baseline Security Analyzer (MBSA)
- Retina Network Scanner Community Edition
- Nexpose Community Edition
- Flexera Personal Software Inspector
Source: comparitech.com