We have mentioned our favorite vulnerability scanning tools in this blog. But a lot of time has passed since, so it is time to put these tools against each other and evaluate the quality of the results received when scanning the same target.
UPDATE: After the constructive input from Michael A. in the comments, we have reworked the test for Nessus, to achieve more comparable results.


The Test Environment
The tested vulnerability scanning tools were installed on a Windows 7 Pro PC.

• Nessus server and client were installed and updated to the latest plugins.
• Retina 5.10.18.2135 Evaluation version was downloaded and installed. The Evaluation version does not allow updates, so we used what updates are included in the build.

The target was Damn Vulnerable Linux (DVL) version 1.5 installed as a VMWARE host with bridged networking on the same host PC as the vulnerability scanning tools. The network of the DVL target was bridged, and all firewalls (both of the host OS and the guest OS) were disabled. The DVL was started with the following services, with default settings and content as included in the distro.

• MySQL
• HTTP
• IPP Printer sharing which was active by default
  

The Scanning Process
Both scanners were started with setting on full port scan, with disabled safety of scanning, and all available plugins were activated. NOTE: Since Retina does not have WebApplication Analysis, Nessus was run twice, once with WebApplications disabled, and once with WebApplication enabled in order to do a meaningful performance comparison.
Performance

• The Nessus scanner without WebApplication scan took 8 minutes to complete the scan
• The Nessus scanner with WebApplication scan took 67 minutes to complete the scan
• The Retina scanner took 38 minutes to complete the scan

Results

• Both scanners failed to identify the target operating system
  

• The Nessus scanner identified the expected open ports, concluded that MySQL does not accept connections from unauthorized IP's. On a repeat scan, it regenerated the same results.
  
• You can download the full report of the Nessus Scan Here
  
• The Retina scanner identified HTTP and TCP port 631 (IPP Printer Sharing). It did not identify the MySQL port as open. On the Web server, it identified a significant number of vulnerabilites, but did not collect any information from the HTTP server. On a repeat scan it missed the HTTP port and only identified the MySQL port.
  
• You can download the full report of the Retina Scan Here
• The Nessus Scanner running the WebApplication Scanning repeated the previous results and additionally it identified a significant number of WebApp vulnerabilites, and collected information from HTTP through web mirroring.
• You can download the full report of the Nessus Scan with WebApplication Scanning Here

Conclusions
Both scanners performed a very well vulnerability identification but missed the OS identification. Also, both manifested flaws:

1. Nessus missed the IPP port every time
2. Retina manifested erroneous scan results, identifying different ports and vulnerabilities during different sessions - while no configuration changes were made to the test environment.

In terms of speed, without WebApplication Scan Nessus performed much faster then Retina. On the other hand, with active WebApplication Scan, Nessus was much slower then Retina.
In terms of scan depth, Nessus has a small advantage, since it includes a web mirroring tool that is very helpful in HTTP.

It can be clearly concluded that these tools cannot be used as the sole source of information when performing a vulnerability test. One must also utilize network mapping (NMAP, LanGuard), OS identification (NMAP) and specific application vulnerability scanners (ParosProxy, WebScarab for Web) for maximum effect.

In a direct comparison, Nessus wins because

1. Retina manifested erroneous results on repeat scans,
   
2. The Nessus package includes a WebApplication scanning module, which in eEye products needs to be purchased as a separate application

Talkback and comments are most welcome

Related posts
System Hardening Process Checklist
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Checking web site security - the quick approach

Our Microsoft Baseline Security Analyzer scanner has just reported that a new version (2.1.1) is available. It can be downloaded from the following URL
http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en


We were disappointed to see that the 2.1 version did not work properly on Windows 7 - it just reported that the computer is not a Windows NT/2000/XP/2003 computer.

The 2.1.1 does not provide any new major functionality, but now it is fully compatible with the current version of Windows.

You can download the baseline that we did on our demo Windows 7 laptop here

Talkback and comments are most welcome

Related posts
Windows 7 Full Disk Encryption with Truecrypt
WMI Scanning - Excellent Security Tool
Example - Bypassing WiFi MAC Address Restriction

After the TrueCrypt Full Disk Encryption Review and the 5 rules to Protecting Information on your Laptop, we are following up with a practical test of full disk encryption of Windows 7.

Shortinfosec is a great promoter of full disk encryption of laptop hard drives, and we have been using Windows 7 for several months now. On 21 Oct 2009, Truecrypt published the version 6.3 which has full support for Windows 7. Of course, why go for an open source product instead of the native BitLocker? Well, Microsoft with it's product strategy includes BitLocker only in Ultimate and Enterprise versions of Windows 7!

Can someone say 'huge security misstep' - especially for the Windows 7 Pro users?

Encryption
Naturally, Shortinfosec started with a full disk encryption test on a laptop. The laptop has the following configuration.

• 2.1 Ghz Core2Duo CPU
• 3 GB of RAM
  
• 320 GB of disk drive
• NVIDIA graphics
• Windows 7 Pro 32 bit operating system

The process is the same as already described in TrueCrypt Full Disk Encryption Review. The installation of the TrueCrypt is so generic that even the most inexperienced users should have no problems whatsoever.

The actual encryption is lasts between 6-7 hours. After it finishes, you have an encrypted system drive. If absolutely necessary, you may even use the computer while the drive is being encrypted, but you won't be very productive.

Performance test
The laptop had a passmark test run before and after the encryption. We focused on CPU and HDD performance, since these areas are impacted when using an encrypted file system.

The test results are presented on the following screenshots. The overall performance of the Test Laptop is marginally better for the non-encrypted disk clone. The disk drive is most impacted on the random read/write test.

The results in red color are before the encryption
The results in green color are after the encryption



Conclusion
Encrypting the entire hard drive of Windows 7 may not seem to be a natural choice, but the product strategy of MS opens up an opportunity for products like Truecrypt.

Encrypting the entire hard drive will cause performance reduction of the disk subsystem, but the performance reduction on our system is so minute that it is just ignored by everyone.

Talkback and comments are most welcome

Related posts

Cracking a TrueCrypt Container
TrueCrypt Full Disk Encryption Review
Tutorial - Hidden Operating System with Truecrypt
Tutorial - A Poor Man's Secure USB

Active Directory within a large organization goes through a lot of changes throughout the day. There are a lot of possibilities for error, creation of accounts with high privileges or missing the disabling task on an employee leaving the company.


Information Security Teams need fast and easily readable auditing, possibly with automation.

The tool
While there are several excellent products that perform this function, auditing of Active Directory can become a costly endeavor. NetWrix has a free version of their Active Directory Change Reporter. It can be installed on any computer that is a member of the domain. Here is a screenshot of the configuration screen:


The process
The auditing is performed by taking a 'snapshot' of the Active Directory Domain state at scheduled intervals. This snapshot is stored in a directory, and can be used to create HTML reports of the changes that happened between two 'snapshots'. There is even an automated reporting which will deliver report on changes to the directory at predefined schedules.

The report clearly displays what objects have been added, removed or modified within the Active Directory Domain. Ofcourse, additional history like who made the change and when can be obtained via the commercial version, but even in the free version it produces a nice set of information.

Here is a screenshot of the report


Conclusion
While the Free version of NetWrix is far in functionality from the big players, it provides an clear and automated reporting. It is a good choice to start with the free version, and prepare for purchasing a commercial tool by learning from it and noting which functionalities you require that this tool does not deliver.

Talkback and comments are most welcome

Related posts
Controlling Firefox Through Active Directory