Product Reviews

Bringing Security Issues Into Focus

eEye's network security scanner helps you find the chinks in your system's "armor."

• By Chip Andrews
• 02/01/2001

By helping systems administrators identify holes in their networks' "armor," security scanners play a vital role in any serious security policy. Security scanners probe machines or groups of hosts, seeking potential security breaches, then present administrators with reports detailing found weaknesses and how to patch them. Retina/The Network Security Scanner is eEye Digital Security's entry into this competitive market.

eEye describes Retina as highly modular, with four main modules making up the current release: scanner, miner, browser and tracer. The scanner (amazingly enough) is the module tasked with probing machines for vulnerabilities and reporting the results. It accepts a host or range of hosts and works its "magic," with eEye stating that the scanner doesn't take information gleaned from a host at face value. Instead, the scanner performs its own checks to confirm whether services listening on certain ports are what they claim to be. I found this scanner simple to use, and even novice users should be scanning systems in mere seconds.

The Retina miner is a component designed to "act" like a hacker in attempts to penetrate your systems, using artificial intelligence techniques known as CHAM (Common Hacking Attack Methods). This component is an application-level scanner that probes for vulnerabilities in Web, mail, and FTP servers and applications based on information gleaned from the system. eEye claims that the miner module can find vulnerabilities not yet known in servers and applications. Retina was unable to find any in the system I scanned and the amount of probing it did was impressive.

Retina's browser is significantly less interesting than the scanner and miner modules. In essence, this module allows the user to browse the Internet using the Retina interface. Yawn. I don't see any value here, with the possible exception of an Explorer-like tree view that the browser provides of all hyperlinks on a page. To me, this module seems more show than substance.

The application's tracer module also is fairly useless, offering little more than a graphical traceroute. It provides even less useful information than its command-line counterpart, tracert." If you implement Retina, I doubt you'll want to use the browser or tracer modules for serious information gathering. They are, however, examples of how the product can be expanded in the future, becoming more of a unified toolkit as opposed to being just another vulnerability scanner.

Though its reporting capabilities are a bit light, Retina is characterized by strong technical ability, making it a solid network security scanner. (Click image to view larger version.)

When I delved into Retina's reporting features, I was disappointed. The app only produces HTML reports (with various levels of detail for technical folks or executives). It would be nice to be able to save the reports to a file (of course, you do this with your browser) or in some type of comma-separated file for import into other applications. When Retina finds a vulnerability of a configurable level of importance, alerts are available by sound, e-mail and pop-up messages.

On the positive side, Retina's interface is stable and easy to understand. The application's vulnerability engine is quite up-to-date and is able to detect some issues that many other products miss. Retina possesses rapid scanning capability and the scanner and miner produce results in real time, so you see right away where security holes exist. Though it's a bit light on the reporting end, in terms of technical ability, Retina is strong; I can solidly recommend it as an easy-to-use network security scanner.