During the past few weeks, I've looked at several security scanners for the Windows NT environment, including eEye's Retina, Shavlik Technologies' InspectorScan, and WebTrends' Security Analyzer. This week, I'll continue with a look at Axent Technologies’ NetRecon 3.0. Although NetRecon can scan all TCP/IP devices, in this review, as in all my reviews, I’ve tested the product in an NT-only environment.
Features and Benefits
NetRecon lets security administrators scan their networks for vulnerabilities. The software quickly scans each network host, and offers clear reports on its findings. The product can scan for and report on a variety of security risks, including weak passwords and denial of service (DoS) vulnerabilities. With regard to the later, although NetRecon tests for and reports on DoS vulnerabilities, it does not actually perform DoS attacks.
The NetRecon program window consists of three different panes, as Screen 1 shows. The first pane lets you select the type of scan to run, the next pane displays detailed information about the scan, and the third pane automatically creates and updates a graph containing the amount of high-, medium-, and low-risk vulnerabilities the product finds.
NetRecon can perform four different scans: light scan, medium scan, heavy scan, and a miscellaneous scan. The light scan identifies all network resources and their related OSs, and audits the services running on each host. The medium scan includes everything in the light scan, examines additional TCP and User Datagram Protocol (UDP) ports, and tests for a basic set of vulnerabilities based on the services and OSs that the light scan identified. When you run a heavy scan, NetRecon first performs a light scan and then performs a medium scan. The heavy scan then uses the information from these light and medium scans to attempt to gain access to network resources and discover additional vulnerabilities. A heavy scan also audits the password strength, provided that NetRecon was able to obtain the encrypted hash. The miscellaneous scan lets you select different vulnerabilities to test for and run custom scans.
NetRecon includes a reporting module that lets you generate reports after each scan completes. With the reporting module, you can create a report listing every vulnerability that NetRecon scans for. To update NetRecon with the latest vulnerabilities, you must manually download and install a patch from Axent’s Web site.
Installation and Use
Axent recommends that you install NetRecon on an NT 4.0 workstation or server with Service Pack 1 (SP1) or later, 64MB of RAM, and at least 40MB of hard disk space. Axent does not specify a minimum CPU requirement. I installed and tested NetRecon on a 500MHz Pentium III system with 512MB of RAM and plenty of hard disk space. The included documentation was very short and uninformative; fortunately, I did not experience any difficulties with the installation or use of the product.
The installation process was painless and required one reboot. Unlike Internet Security Systems’ (ISS’) Internet Scanner 6.1, you don’t need to install a special packet driver on your system. This leads me to believe that NetRecon does not test for vulnerabilities that rely on malformed packets. After my system rebooted, I connected to Axent’s Web site to get the latest NetRecon update, which downloaded and installed as an executable—simple. NetRecon does not, however, let you automatically update the software; you must manually check for and download patches. The latest patch brought the total amount of vulnerabilities that NetRecon scanned for to 393, a minor increase from the 383 original vulnerabilities that the shipping product scanned for.
After I successfully installed the update, I proceeded to scan my network. I performed the heavy scan because it runs all the light scan and medium scan tests. After my last series of reviews, I had fully expected NetRecon to take anywhere from 8 to 15 minutes to complete the scan. I was shocked to see the scan complete after only 2 minutes.
I quickly realized why the scan completed so quickly when I checked the number of vulnerabilities that NetRecon found and compared those results to the other security scanner products I’ve reviewed. The product identified only 22 vulnerabilities on a host that other products have identified anywhere from 27 (eEye Retina) to 65 (ISS Internet Scanner) vulnerabilities. NetRecon’s scan results might be understandable, considering that no standards exist for identifying what constitutes a vulnerability. However, upon further investigation, NetRecon missed some basic vulnerabilities that all the other scanner products have detected. For example, NetRecon failed to identify multiple Registry keys that should not be accessible, but are in a default NT installation, to a typical user. NetRecon also did not detect any Microsoft Internet Information Server (IIS)-related vulnerabilities, other than that the service was installed.
I was impressed with NetRecon's attempt to retrieve password hashes and crack them. But, once I investigated this option further, I found that the product cracked only 50 percent of the passwords and did not report the cracked password to the user, only the encrypted hash. Competing products, such as BindView’s HackerShield, cracked 100 percent of my domain accounts and reported the passwords back to the user.
Despite these shortcomings, I was impressed with the detail in NetRecon’s reporting. The software provides a detailed description for all vulnerabilities that it scans for, as Screen 2 shows. The reports included a list of each vulnerability found and detailed information on the vulnerabilities cause and how to fix it. Unfortunately the software does not give you the option to automatically fix vulnerabilities.
Not a Competitor
An industry-leading scanning product needs to offer more than detailed reports. Although NetRecon’s reporting features are better than some of its competition, this scanner product does not compete well when it comes to identifying vulnerabilities, and it does not check for as many vulnerabilities as it should. With a price tag of $1995, NetRecon 3.0 won't replace or compliment any of the scanner products that have already made it into the Ultimate Security ToolKit.
Contact: Axent Technologies * (301) 258-5043
Pros: Scans network hosts quicker than its competitors. Excellent report quality. Provides detailed descriptions of vulnerabilities.
Cons: Only scans for 393 different risks, fewer than competing scanner products. Documentation is short and uninformative. Does not have the ability to auto-update the software or vulnerabilities; users must perform updates manually. Did not capture some basic vulnerabilities during testing. Attempts to crack passwords, but won't report cracked passwords to the user—just the encrypted hash. Not able to crack passwords that competing products easily cracked.