1. Home
  2. Network Admin

6 Best Vulnerability Scanning Tools and Software

No one wants the network they manage to become the target of malicious users trying to steal corporate data or cause damage to the organization. To prevent that, you need to find ways to ensure that there are as few ways as possible for them to enter. And this is accomplished in part by making sure each and every vulnerability on your network is known, addressed, and fixed. And for those vulnerabilities that can’t be fixed, that something is in place to mitigate them. The first step is obvious; it is to scan your network for those vulnerabilities. This is the job of a specific type of software called vulnerability scanning tools. Today, we’re reviewing the 6 best vulnerability scanning tools and software.

Let’s begin by talking about network vulnerability–or should we say vulnerabilities–and try to explain what they are. We’ll next discuss vulnerability scanning tools. We’ll describe who needs them and why. And since a vulnerability scanner is only one component of a vulnerability management process—albeit an important one—this is what we’ll talk about next. Then, we’ll see how vulnerability scanners typically work. All are somewhat different but at their core, there are often more similarities than differences. And before we review the best vulnerability scanning tools and software are, we’ll discuss their main features.

An Introduction to Vulnerability

Computer systems and networks have reached a higher level of complexity than ever. Today’s average server could typically be running hundreds of processes. Each of these processes is a computer program, some of them are big programs that are made of thousands of lines of source code. And within this code, there could be—there probably are—all sorts of unexpected things. A developer may, at one point, have added some backdoor feature to make debugging easier. And later on, this feature might have mistakenly made it to the final release. There could also be some errors in input validation that will cause an unexpected–and undesirable–results under some specific circumstance.

Any of these can be used to try to gain access to systems and data. There is a huge community of people out there who have nothing better to do than to find these holes and exploit them to attack your systems. Vulnerabilities are what we call these holes. If left unattended, vulnerabilities can be used by malicious users to gain access to your systems and data–or possibly worse, your client’s data–or to otherwise cause some damage such as rendering your systems unusable.

Vulnerabilities can be everywhere. They are often found in software running on your servers or their operating systems but they also exist in networking equipment such as switches, routers and even security appliances such as firewalls. One really need to look for them everywhere.

Scanning Tools — What Are They And How Do They Work

Vulnerability scanning—or assessment—tools have one primary function: identifying vulnerabilities in your systems, devices, equipment, and software. They are called scanners because they will usually scan your equipment to look for known vulnerabilities.

But how do vulnerability scanning tools find vulnerabilities which are typically not there in plain sight? If they were that obvious, developers would have addressed them before releasing the software. Kind if like virus protection software which use virus definitions databases to recognize computer virus signatures, most vulnerability scanners rely on vulnerability databases and scan systems for specific vulnerabilities. These vulnerability databases can be obtained from well-known independent security testing labs dedicated to finding vulnerabilities in software and hardware or they can be proprietary databases from the tool’s vendor. As you’d expect, the level of detection you get is only as good as the vulnerability database that your tool uses.

Scanning Tools — Who Needs Them?

The one-word answer to that question is pretty obvious: Anyone! No one in his right mind would think of running a computer without some virus protection these days. Likewise, no network administrator should be without at least some form of vulnerability detection. Attacks could be coming from anywhere and hit you where you least expect them. You need to be aware of your risk of exposure.

This is possibly something that could be theoretically done manually. Practically, though, this is an almost impossible job. Just finding information about vulnerabilities, let alone scan your systems for their presence, could take an enormous amount of resources. Some organizations are dedicated to finding vulnerabilities and they often employ hundreds if not thousands of people.

Anyone managing a number of computer systems or devices would benefit greatly from using a vulnerability scanning tool. Furthermore, complying with regulatory standards such as SOX or PCI-DSS will often mandate that you do. And even if they don’t require it, compliance will often be easier to demonstrate if you can show that you are scanning your network for vulnerabilities.

Vulnerability Management in a Nutshell

Detect vulnerabilities using some sort of software tool is essential. It is the first step in protecting against attacks. But it is kind of useless if it is not part of a complete vulnerability management process. Intrusion Detection systems are not Intrusion Prevention Systems and, likewise, Network vulnerability scanning tools–or at least the majority of them–will only detect vulnerabilities and alert you of their presence.

It is then up to you, the administrator, to have some process in place to address detected vulnerabilities. The first thing to do upon their detection is to assess vulnerabilities. You want to make sure that detected vulnerabilities are real. Vulnerability scanning tools tend to prefer to err on the side of caution and many will report a certain number of false positives. And if with true vulnerabilities, they might not be a real concern. For example, an unused open IP port on a server might not be an issue if it sits right behind a firewall that blocks that port.

Once vulnerabilities are assessed, it’s time to decide how to address–and fix–them. If they were found in a software your organization barely uses–or doesn’t use at all–your best course of action might be to remove the vulnerable software and replace it with another offering similar functionality. In other instances, fixing vulnerabilities is as easy as applying some patch from the software publisher or upgrading to the latest version. Many vulnerability scanning tools will identify available fixes for the vulnerabilities that find. Other vulnerabilities can be fixed simply by modifying some configuration setting. This is particularly true of networking equipment but it also happens with software running on computers.

Main Features of Vulnerability Scanning Tools

There are many things one should consider when selecting a vulnerability scanning tool. One of the most important aspects of those tools is the range of devices they can scan. You want a tool that will be able to scan all the equipment you own. If you have many Linus servers, for example, you’ll want to choose a tool that can scan them, not one that only handles Windows devices. You also want to choose a scanner which is as accurate as possible in your environment. You wouldn’t want to drown in useless notifications and false positives.

Another major differentiating factor is the tool’s vulnerability database. Is it maintained by the vendor or is it from an independent organization? How regularly is it updated? Is it stored locally or in the cloud? Do you have to pay additional fees to use the vulnerability database or to get updates? These are all things you’ll want to know before you pick your tool.

Some vulnerability scanners will use a more intrusive scanning method which could potentially affect system performance. This is not necessarily a bad thing as the most intrusive are often the best scanners but if they affect system performance, you’ll want to know about it and schedule your scans accordingly. By the way, scheduling is another important aspect of network vulnerability scanning tools. Some tools don’t even have scheduled scans and need to be launched manually.

There are at least two other important features of vulnerability scanning tools: alerting and reporting. What happens when a vulnerability is found? Is the notification clear and easy to understand? How is it rendered? Is it an on-screen popup, an email, a text message? And even more importantly, does the tool provide some insight on how to fix the vulnerabilities it identifies? Some tools do and some don’t. Some even have automated remediation of certain vulnerabilities. Other tools will integrate with patch management software as patching is often the best way to fix vulnerabilities.

As for reporting, this is often a matter of personal preference. However, you must ensure that the information you expect and need to find in the reports will actually be there. Some tools only have predefined reports, others will let you modify built-in reports. And the best ones—at least from a reporting standpoint—will let you create custom reports from scratch.

Our Top 6 Vulnerability Scanning Tools

Now that we’ve learned a bit more about vulnerability scanning tools, let’s review some of the best or most interesting packages we could find. We’ve tried to include a mix of paid and free tools. There are also tools that are available in a free and a paid version.

1. SolarWinds Network Configuration Manager (FREE TRIAL)

In case you don’t already know SolarWinds, the company has been making some of the best network administration tools for about 20 years. Among its best tools, the SolarWinds Network Performance Monitor has consistently been receiving high praise and rave reviews as one of the best SNMP network bandwidth monitoring tool. The company is also somewhat famous for its free tools. Those are smaller tools designed to address a specific task of network management. Among the best-known of these free tools are a subnet calculator and a TFTP server.

The tool we’d like to introduce here is a tool called the SolarWinds Network Configuration Manager. This is, however, not really a vulnerability scanning tool. But there are two specific reasons why we decided to include this tool on our list. The product has a vulnerability assessment feature and it addresses a specific type of vulnerability, one that is important but that not many other tools address, the misconfiguration of networking equipment.

SolarWinds Network Configuration Manager

The SolarWinds Network Configuration Manager’s primary utility as a vulnerability scanning tool is in the validation of network equipment configurations for errors and omissions. The tool can also periodically check device configurations for changes. This is also useful as some attacks are started by modifying some device networking configuration—which are often not as secure as servers—in a way that can facilitate access to other systems. The tool can also help you with standards or regulatory compliance with its automated network configuration tools which can deploy standardized configurations, detect out-of-process changes, audit configurations, and even correct violations.

The software does integrate with the National Vulnerability Database which makes it deserve to be on our list even more. It has access to the most current CVE’s to identify vulnerabilities in your Cisco devices. It will work with any Cisco device running ASA, IOS, or Nexus OS. In fact, two other useful tools, Network Insights for ASA and Network Insights for Nexus are built right into the product.

Prices for the SolarWinds Network Configuration Manager start at $2,895 for up to 50 managed nodes and varies according to the number of nodes. If you’d like to give this tool a try, a free 30-day trial version can be downloaded from SolarWinds.

2. Microsoft Baseline Security Analyzer (MBSA)

The Microsoft Baseline Security Analyzer, or MBSA, is a somewhat older tool from Microsoft. Despite being a less-than-ideal option for large organizations, the tool could be a good fit for smaller businesses, those with only a handful of servers. This is a Microsoft tool so you better not expect t to look scan but Microsoft products or you’ll be disappointed. It will, however, scan the Windows operating system as well as some services such as the Windows Firewall, SQL server, IIS and Microsoft Office applications.

But this tool doesn’t scan for specific vulnerabilities as other vulnerability scanners do. What it does is to look for missing patches, service packs and security updates as well as scan systems for administrative issues. The MBSA’s reporting engine will let you get a list of missing updates and misconfigurations.

MBSA Report Detail Screenshot

Being an old tool from Microsoft, MBSA is not totally compatible with Windows 10. Version 2.3 will work with the latest version of Windows but could require some tweaking to clean up false positives and to fix checks that can’t be completed. For example, this tool will falsely report that Windows Update is not enabled on Windows 10. Another drawback of this product is that it won’t detect non-Microsoft vulnerabilities or complex vulnerabilities. This tool is simple to use and does its job well. It could very well be the perfect tool for a smaller organization with only a few Windows computers.

3. Open Vulnerability Assessment System (OpenVAS)

Our next tool is called the Open Vulnerability Assessment System, or OpenVAS. It is a framework of several services and tools. They all combine to make it a comprehensive and powerful vulnerability scanning tool. The framework behind OpenVAS is part of Greenbone Networks’ vulnerability management solution from which elements have been contributed to the community for about ten years. The system is entirely free and most of its component are open-source although some are not. The OpenVAS scanner comes with over fifty thousand Network Vulnerability Tests which are updated on a regular basis.

OpenVAS 7 Software Architecture

There are two primary components to OpenVAS. The first component is the OpenVAS scanner. As its name implies, it is responsible for the actual scanning of target computers. The second component is the OpenVAS manager which handles everything else such as controlling the scanner, consolidating results, and storing them in a central SQL database. The system includes both browser-based and command-line user interfaces. Another component of the system is the Network Vulnerability Tests database. This database can get its updates from either the free Greenborne Community Feed or the paid Greenborne Security Feed.

4. Retina Network Community

Retina Network Community is the free version of the Retina Network Security Scanner from AboveTrust, which is one of the best-known vulnerability scanners. This comprehensive vulnerability scanner Is packed with features. The tool can perform a thorough vulnerability assessment of missing patches, zero-day vulnerabilities, and non-secure configurations. It also boasts user profiles aligned with job functions, thereby simplifying system operation. This product features a metro style intuitive GUI which allows for a streamlined operation of the system.

Retina Network Community Screenshot

Retina Network Community uses the same vulnerability database as its paid sibling. It is an extensive database of network vulnerabilities, configuration issues, and missing patches which is automatically updated and covers a wide range of operating systems, devices, applications, and virtual environments. While on that subject, this product fully supports VMware environments and it includes online and offline virtual image scanning, virtual application scanning, and integration with vCenter.

There is, however, a major drawback to the Retina Network Community. The tool is limited to scanning 256 IP addresses. This may not look like much if you’re managing a large network but it could be more than enough for many smaller organizations. If your environment is bigger than that, everything we just said about this product is also true of its big brother, the Retina Network Security Scanner which is available in Standard and Unlimited editions. Either edition has the same extended feature set as compared to the Retina Network Community scanner.

5. Nexpose Community Edition

It might not be quite as popular as Retina but Nexpose from Rapid7 is another well-known vulnerability scanner. And the Nexpose Community Edition is a slightly scaled down version of Rapid7’s comprehensive vulnerability scanner. The product’s limitations are important, though. For instance, you can only use the product to scan a maximum of 32 IP addresses. This makes it a good option only for the smallest of networks. Furthermore, the product can only be used for one year. If you can live with the product’s, it is excellent.

Nexppose Community Edition Screenshot

Nexpose Community Edition will run on physical machines running either Windows or Linux. It is also available as a virtual appliance. Its extensive scanning capabilities will handle networks, operating systems, web applications, databases, and virtual environments. Nexpose Community Edition uses adaptive security which can automatically detect and assess new devices and new vulnerabilities the moment they access your network. This feature works in conjunction with dynamic connections to VMware and AWS. This tool also integrates with the Sonar research project to provide true live monitoring. Nexpose Community Edition provides integrated policy scanning to assist in complying with popular standards like CIS and NIST. And last but not least, the tool’s intuitive remediation reports give you step-by-step instructions on remediation actions.

Leave a comment