You wouldn’t want your network to become the target of malicious users trying to steal your data or cause damage to your organization. But how can you ascertain that there are as little ways as possible for them to enter?
By making sure each and every vulnerability on your network is known, addressed, and fixed or that some measure is in place to mitigate it. And the first step in accomplishing that is to scan your network for those vulnerabilities.
This is the job of a specific type of software tool and today, we’re glad to bring you the best free network vulnerability scanners.
We’ll be starting today’s discussion by talking about network vulnerability–or perhaps vulnerabilities–trying to explain what they are. We’ll next discuss vulnerability scanners in general. We’ll see who needs them and why.
Since a vulnerability scanner only works as part of a vulnerability management process, this is what we’ll discuss next. Then, we’ll study how vulnerability scanners typically work. They are all different but at their core, there are usually more similarities than differences. And before we reveal what the best free vulnerability scanners are, we’ll tell you what to look for in them.
Vulnerability scanner: Do I need one?
Computer systems and networks are more complex than ever. It’s not uncommon for a typical server to be running hundreds of processes. Each of these processes is a program, some of them are big programs containing thousands of lines of code. And within this code, there could be all sorts of unexpected things.
A programmer may, at one point, have added some backdoor feature to facilitate debugging and this feature might have mistakenly made it to the final version. There could be some errors in input validation that will cause an unexpected–and undesirable–results under some specific circumstance.
Each of these is a hole and there are numerous people out there who have nothing better to do than to find these holes and use them to attack your systems.
Vulnerabilities are what we call these holes. And if left unattended, they can be used by malicious users to gain access to your systems and data–or even worse, your client’s data–or to otherwise cause some damage such as rendering your systems unusable.
Vulnerabilities can be everywhere on your network. They are often found on software running on your servers or their operating systems but they are also common in networking equipment such as switches, routers and even security appliances such as firewalls.
Network vulnerability scanners / explained
Vulnerability scanners or vulnerability assessment tools as they are often called are software tools whose sole purpose is to identify vulnerabilities in your systems, devices, equipment, and software. We call them scanners because they will usually scan your equipment to look for specific vulnerabilities.
But how do they find these vulnerabilities? After all, they are usually not there in plain sight or the developer would have addressed them. Somewhat like virus protection software which use virus definitions databases to recognize computer viruses most vulnerability scanners rely on vulnerability databases and scan systems for specific vulnerabilities.
These vulnerability databases can either be sourced from well-known security testing labs that are dedicated to finding vulnerabilities in software and hardware or they can be proprietary databases.
The level of detection you get is as good as the vulnerability database that your tool uses.
Network Scanners – How detection works
The quick and easy answer to this question is simple: You do! No really, everyone needs them. Just like no one in his right mind would think of running a computer without some virus protection, no network administrator should be without at least some vulnerability detection scheme.
Of course, this is possibly something that could be theoretically done manually but practically, this is an impossible job. It would require a tremendous amount of time and human resources. Some organizations are dedicated to finding vulnerabilities and they often employ hundreds of people if not thousands.
The fact is that if you are managing a number of computer systems or devices, you probably need a vulnerability scanner. Complying with regulatory standards such as SOX or PCI-DSS will often mandate that you do. And even if they don’t require it, compliance will be easier to demonstrate if you can show that you are scanning your network for vulnerabilities.
What to look for
Let’s have a look at some of the most important things to consider when evaluating network vulnerability scanners.
First and foremost is the range of devices the tool can scan. This has to match your environment as closely as possible. If, for example, your environment has many Linux servers, you should pick a tool that will scan these. Your scanner should also be as accurate as possible in your environment so as to not drown you in useless notifications and false positives.
Another important factor to consider is the tool’s vulnerability database.
- Is it updated regularly?
- Is it stored locally or in the cloud?
- Do you have to pay additional fees to get the vulnerability database updated?
These are all things you’ll want to know before you pick your tool.
Not all scanners are created equal, some will use a more intrusive scanning method than others and will potentially affect system performance. This is not a bad thing as the most intrusive are often the best scanners but if they affect system performance, you’ll want to know about is and schedule the scans accordingly. And talking about scheduling, this is another important aspect of network vulnerability scanners. Does the tool you’re considering even have scheduled scans? Some tools need to be launched manually.
The last important aspect of network vulnerability scanners is their alerting and reporting.
- What happens when they detect a vulnerability?
- Is the notification clear and easy to understand?
- Does the tool provide some insight on how to fix found vulnerabilities?
Some tools even have automated remediation of some vulnerabilities. Other integrate with patch management software.
As for reporting, this is often a matter of personal preference but you have to ensure that the information you expect to find in the reports is actually there. Some tools only have predefined reports, some will let you modify them, and some will let you create new ones from scratch.
Best network vulnerability scanners
Now that we know what to look for in vulnerability scanners, let’s have a look at some of the best or most interesting packages we could find. All but one of them are free and the paid one has a free trial available.
Our first entry in an interesting piece of software from SolarWinds called the Network Configuration Manager. However, this is neither a free tool nor is it a network vulnerability scanner. So you may be wondering what it is doing in this list.
There is one primary reason for its inclusion: the tool addresses a specific type of vulnerability that not many other tools do and that it the misconfiguration of networking equipment.
- FREE TRIAL: SolarWinds Network Configuration Manager
- Official download: https://www.solarwinds.com/network-configuration-manager
This tool’s primary purpose as a vulnerability scanner is validating network equipment for configurations errors and omissions. It will also periodically check device configurations for changes.
This can be useful as some attacks are started by modifying some device configuration in a way that can facilitate access to other systems. The Network Configuration Manager can also help you with network compliance with its automated network configuration tools that can deploy standardized configs, detect out-of-process changes, audit configurations, and even correct violations.
The software integrates with the National Vulnerability Database and has access to the most current CVE’s to identify vulnerabilities in your Cisco devices. It will work with any Cisco device running ASA, IOS, or Nexus OS. In fact, two useful tools, Network Insights for ASA and Network Insights for Nexus are built right into the product.
Pricing for the SolarWinds Network Configuration Manager starts at $2 895 and varies according to the number of nodes. If you’d like to give this tool a try, a free 30-day trial version can be downloaded from SolarWinds.
2. Microsoft Baseline Security Analyzer (MBSA)
Our second entry is an older tool from Microsoft called the Baseline Security Analyser, or MBSA. This tool is a less-than-ideal option for larger organizations but it could be OK for small businesses with only a few servers.
Given its Microsoft origin, don’t expect this tool to look at anything but Microsoft products, though. It will scan the base Windows operating system as well as some services such as the Windows Firewall, SQL server, IIS and Microsoft Office applications.
The tool doesn’t scan for specific vulnerabilities like true vulnerability scanners do but it will look for missing patches, service packs and security updates as well as scan systems for administrative issue. The MBSA’s reporting engine will let you get a list of missing updates and misconfigurations
MBSA is an old tool from Microsoft. So old that it is not totally compatible with Windows 10. Version 2.3 will work with the latest version of Windows but will require some tweaking to clean up false positives and to fix checks that can’t be completed. For example, MBSA will falsely report that Windows Update is not enabled on the latest Windows version. Another drawback is that MBSA won’t detect non-Microsoft vulnerabilities or complex vulnerabilities. Still, this tool is simple to use and does its job well and it could be the perfect tool for a smaller organization with only Windows computers.
3. Open Vulnerability Assessment System (OpenVAS)
The Open Vulnerability Assessment System, or OpenVAS, is a framework of many services and tools which combine to offer a comprehensive and powerful vulnerability scanning and management system.
The framework behind OpenVAS is part of Greenbone Networks’ vulnerability management solution from which developments have been contributed to the community for about ten years. The system is entirely free and most of its component are open-source although some are proprietary. The OpenVAS scanner comes with over fifty thousand Network Vulnerability Tests which are updated on a regular basis.
OpenVAS has two main components, the OpenVAS scanner, which is responsible for the actual scanning of target computers and the OpenVAS manager, which controls the scanner, consolidates results, and stores them in a central SQL database along with the system’s configuration. Other components include browser-based and command-line user interfaces.
An additional component of the system is the Network Vulnerability Tests database. This database is updated from either the fee Greenborne Community Feed or the Greenborne Security Feed. The latter is a paid subscription server while the community feed is free.
4. Retina Network Community
Thre Retina Network Community is the free version of the Retina Network Security Scanner from AboveTrust, one of the best-known vulnerability scanner.
It is a comprehensive vulnerability scanner with many features. The tool can perform a free vulnerability assessment of missing patches, zero-day vulnerabilities, and non-secure configurations. User profiles aligned with job functions simplify the operation of the system. Its metro styled intuitive user interface allows for a streamlined operation of the system.
Retina Network Community uses the Retina scanner’s database, an extensive database of network vulnerabilities, configuration issues, and missing patches. It is automatically updated and covers a wide range of operating systems, devices, applications, and virtual environments. Talking about virtual environments, the product fully supports VMware environments and includes online and offline virtual image scanning, virtual application scanning, and integration with vCenter.
The main limitation of the Retina Network Community is that it’s limited to scanning 256 IP addresses. While this is not much, it will be more than enough for several smaller organizations. If your environment is bigger than that, you can opt for the Retina Network Security Scanner, available in Standard and Unlimited editions. Both editions have an extended feature set compared to the Retina Network Community scanner.
5. Nexpose Community Edition
Nexpose from Rapid7 is another well-known vulnerability scanner although perhaps less than Retina. The Nexpose Community Edition is a limited version of Rapid7’s comprehensive vulnerability scanner.
The limitations are important. First and foremost, you can only use the product to scan a maximum of 32 IP addresses. This makes it a good option only for the smallest of networks. Furthermore, the product can only be used for one year. Besides these limitations, this is an excellent product.
Nexpose can run on physical machines running either Windows or Linux. It is also available as a VM appliance. The product’s extensive scanning capabilities will handle networks, operating systems, web applications, databases, and virtual environments. Nexpose uses what it calls Adaptive Security which can automatically detect and assess new devices and new vulnerabilities the moment they access your network. This combines with dynamic connections to VMware and AWS and integration with the Sonar research project to provide true live monitoring. Nexpose provides integrated policy scanning to assist in complying to popular standards like CIS and NIST. The tool’s Intuitive remediation reports give step-by-step instructions on remediation actions to quickly improve compliance.
Our last entry is a product from Tripwire, another household name in IT security. Its SecureCheq software is advertised as a free Microsoft Windows configuration security checker for desktops and servers.
The tool performs local scans on Windows computers and identifies insecure Windows advanced settings as defined by CIS, ISO or COBIT standards. It will seek about two dozen common configuration errors related to security.
This is a simple tool that is easy to use. You simply run it on the local machine and it will list al the checked settings with a pass or fail status. Clicking on any of the listed settings reveals a summary of the vulnerability with references on how to fix it. The report can be printed or saved as an OVAL XML file.
Although SecureCheq scans for some advanced configuration settings, it misses many of the more general vulnerabilities and threats. Your best bet is to use it in combination with a more basic tool such as the Microsoft Baseline Security Analyzer reviewed above.
It’s one thing to detect vulnerabilities using some sort of software tool but it is kind of useless unless it is part of a holistic vulnerability management process. Just like Intrusion Detection systems are not Intrusion Prevention Systems Network vulnerability scanners–or at least the vast majority of them–will only detect vulnerabilities and point them to you.
It is up to you to have some process in place to react to these detected vulnerabilities. The first thing that should be done is to assess them.
The idea here is to make sure detected vulnerabilities are real. Makers of vulnerability scanners often prefer to err on the side of caution and many of their tools will report a certain number of false positives.
The next step in the vulnerability management process is to decide how you want to address–and fix–real vulnerabilities. If they were found in a piece of software your organization barely uses–or doesn’t use at all–your best course of action might be to remove and replace it with another software offering similar functionality.
In many instances, fixing vulnerabilities is as easy as applying some patch from the software publisher or upgrading to the latest version. At times, they can also be fixed by modifying some configuration setting(s).