Peering in at a price

STAND-ALONE APPLICATIONS have traditionally ruled the network vulnerability assessment space, but assessment services are gaining in popularity. Such services can provide detailed analysis of Internet-facing systems from the eyes of an attacker, but they have not been able to scan internal networks — until now.

Akaba PointScan is a Web-based service through which administrators launch scans of internal and external networks, either by simply clicking the Scan Now button or by scheduling daily, weekly, or monthly scans. The network range is preconfigured in the account and there are no options to configure; just click and go.

The Web server passes scan requests to Akaba’s scanning machines, which then launch the scan on the targeted network. Scans are performed in blocks of 32 addresses to reduce the load on the target network. PointScan tries to stay unintrusive and does not run checks that may crash services or systems. The scanning engine mostly uses proprietary tools developed in-house by Akaba.

To scan internal networks, Akaba configures a VPN between its scanning systems and the targeted network. Some nifty routing tricks on Akaba’s end prevent issues with duplicate private IP address ranges.

We had PointScan scan an internal and an external network several times while we added new systems and changed services running on them. We tried a variety of Windows systems at various patch levels. We also had some Red Hat Linux systems, an HP Jet Direct print server, and a Snap Server.

PointScan can only identify network-based vulnerabilities, such as IIS (Internet Information Server), FTP, SMTP, and Finger. The service does not look at detailed application information, account settings, or Windows registry entries. This is an area Akaba can easily improve by adding functionality to its scanning engine.

We found PointScan yielded inconsistencies in its scanning results. It would find an issue in one scan then fail to find it in the next, and vice versa, even though no changes were made to the configuration. Other strange things popped up, such as a Windows vulnerability listed for a Linux system and an FTP vulnerability listed for a system that did not have FTP running. PointScan also seems to default any open UDP 500 port as PGPNet, even though it is the standard port for isakmp, which is standard for IPSec.

Working with Akaba, we traced some of the inconsistencies to issues with dropped packets. Akaba plans to add functionality to their scanning engine to better handle them.

PointScan shines in its useful, easy-to-read report. Colorful charts and graphs start off the report, followed by other high-level information, such as the number of high, medium, and low class vulnerabilities sorted by IP address. The report lists new vulnerabilities identified in the most recent scan as compared to the previous one.

The report provides a thorough discussion of the identified vulnerabilities as well as detailed steps necessary to remove, or at least mitigate risks. The report also lists vulnerabilities that are no longer on the network in comparison to the last scan. This list can give you a false sense of security if the change was not actually made on the network and PointScan just did not find the vulnerability in the most recent scan.

Organizations that want to regularly scan their Internet-facing systems should at least consider PointScan, keeping in mind that not everyone uses the expensive VPN devices that Akaba supports. The price of the service may not be cost-effective for internal network scans. For example, the Retina scanner from eEye Digital Security is an excellent product that can scan an unlimited number of IP addresses for only $4,995 ($1,770 annual maintenance). PointScan is at its best as an automated scanner to regularly check external systems, such as Web servers and mail servers.