During the past few weeks, I've looked at several security scanners for the Windows NT environment, including eEye's Retina, Shavlik Technologies' InspectorScan, and WebTrends' Security Analyzer. This week, I'll continue with a look at Axent Technologies’ NetRecon 3.0. Although NetRecon can scan all TCP/IP devices, in this review, as in all my reviews, I’ve tested the product in an NT-only environment.
Features and Benefits
NetRecon lets security administrators scan their networks for vulnerabilities. The software quickly scans each network host, and offers clear reports on its findings. The product can scan for and report on a variety of security risks, including weak passwords and denial of service (DoS) vulnerabilities. With regard to the later, although NetRecon tests for and reports on DoS vulnerabilities, it does not actually perform DoS attacks.
The NetRecon program window consists of three different panes, as Screen 1 shows. The first pane lets you select the type of scan to run, the next pane displays detailed information about the scan, and the third pane automatically creates and updates a graph containing the amount of high-, medium-, and low-risk vulnerabilities the product finds.
NetRecon can perform four different scans: light scan, medium
scan, heavy scan, and a miscellaneous scan. The light scan identifies all network
resources and their related OSs, and audits the services running on each host. The medium
scan includes everything in the light scan, examines additional TCP and User Datagram
Protocol (UDP) ports, and tests for a basic set of vulnerabilities based on the services
and OSs that the light scan identified. When you run a heavy scan, NetRecon first performs
a light scan and then performs a medium scan. The heavy scan then uses the information
from these light and medium scans to attempt to gain access to network resources and
discover additional vulnerabilities. A heavy scan also audits the password strength,
provided that NetRecon was able to obtain the encrypted hash. The miscellaneous scan lets
you select different vulnerabilities to test for and run custom scans.
NetRecon includes a reporting module that lets you generate reports after each scan completes. With the reporting module, you can create a report listing every vulnerability that NetRecon scans for. To update NetRecon with the latest vulnerabilities, you must manually download and install a patch from Axent’s Web site.
Installation and Use
Axent recommends that you install NetRecon on an NT 4.0 workstation or server with Service Pack 1 (SP1) or later, 64MB of RAM, and at least 40MB of hard disk space. Axent does not specify a minimum CPU requirement. I installed and tested NetRecon on a 500MHz Pentium III system with 512MB of RAM and plenty of hard disk space. The included documentation was very short and uninformative; fortunately, I did not experience any difficulties with the installation or use of the product.
The installation process was painless and required one reboot.
Unlike Internet Security Systems’ (ISS’) Internet Scanner 6.1, you don’t
need to install a special packet driver on your system. This leads me to believe that
NetRecon does not test for vulnerabilities that rely on malformed packets. After my system
rebooted, I connected to Axent’s Web site to get the latest NetRecon update, which
downloaded and installed as an executable—simple. NetRecon does not, however, let you
automatically update the software; you must manually check for and download patches. The
latest patch brought the total amount of vulnerabilities that NetRecon scanned for to 393,
a minor increase from the 383 original vulnerabilities that the shipping product scanned
for.
After I successfully installed the update, I proceeded to scan my
network. I performed the heavy scan because it runs all the light scan and medium scan
tests. After my last series of reviews, I had fully expected NetRecon to take anywhere
from 8 to 15 minutes to complete the scan. I was shocked to see the scan complete after
only 2 minutes.
I quickly realized why the scan completed so quickly when I
checked the number of vulnerabilities that NetRecon found and compared those results to
the other security scanner products I’ve reviewed. The product identified only 22
vulnerabilities on a host that other products have identified anywhere from 27 (eEye
Retina) to 65 (ISS Internet Scanner) vulnerabilities. NetRecon’s scan results might
be understandable, considering that no standards exist for identifying what constitutes a
vulnerability. However, upon further investigation, NetRecon missed some basic
vulnerabilities that all the other scanner products have detected. For example, NetRecon
failed to identify multiple Registry keys that should not be accessible, but are in a
default NT installation, to a typical user. NetRecon also did not detect any Microsoft
Internet Information Server (IIS)-related vulnerabilities, other than that the service was
installed.
I was impressed with NetRecon's attempt to retrieve password
hashes and crack them. But, once I investigated this option further, I found that the
product cracked only 50 percent of the passwords and did not report the cracked password
to the user, only the encrypted hash. Competing products, such as BindView’s
HackerShield, cracked 100 percent of my domain accounts and reported the passwords back to
the user.
Despite these shortcomings, I was impressed with the detail in
NetRecon’s reporting. The software provides a detailed description for all
vulnerabilities that it scans for, as Screen 2 shows. The reports included a list of each vulnerability found and detailed information on the vulnerabilities cause and how to fix it. Unfortunately the software does not give you the option to automatically fix vulnerabilities.
Not a Competitor
An industry-leading scanning product needs to offer more than detailed reports. Although NetRecon’s reporting features are better than some of its competition, this scanner product does not compete well when it comes to identifying vulnerabilities, and it does not check for as many vulnerabilities as it should. With a price tag of $1995, NetRecon 3.0 won't replace or compliment any of the scanner products that have already made it into the Ultimate Security ToolKit.