Vulnerability scanner tools in the data center

In the constant search for better operations, many within the security industry are using segments of the data center as a test lab.

These security assessment experiments could improve IT operations, if IT professionals understand the test scope and how the underlying operating systems and infrastructure affect the network security appliance choice.

It all starts with the basic, yet oft-forgotten question: What are you testing -- an entire network, a device or a combination of the two?

The person conducting tests can isolate a device, such as a Session Initiation Protocol (SIP) server, from other parts of the network and deploy various exploits against it via physical or software-based vulnerability scanner tools.

If the security test focuses on a network or portion thereof, it requires a different approach with security appliances. For example, penetration testing uses a device or file inside of the network as the target. An intruder must traverse several intermediary network devices to arrive at the target. Vulnerability scanners offer different modules that focus on a specific area -- Web server exploits, Simple Mail Transfer Protocol server exploits and so on -- and relates to the specific device under test. For SIP server tests, a vulnerability scanner deploys a Voiceover-IP-type module against the device. However, to test an entire network, you need several different modules, depending on the number and type of devices that a threat must traverse.

Once the goal and scope of the test has been established, the next question to ask regards network security appliance type: What will you use to conduct testing? Better yet: What does your organization deem financially palatable?

The right tools depend on an organization's test goals. These goals are often interwoven with the organization's feasible budget.

Physical and virtual software-based security appliances test the same security weaknesses with different deployment methods.

The application route requires only a software-based vulnerability scanner installed on a designated machine in the facility. Tools include the BeyondTrust Retina Network Security Scanner and the various network vulnerability scanners distributed as Nessus by Tenable Network Security. These and similar scanners are typically subscription-based.

Some organizations purchase an actual hardware appliance to perform vulnerability assessments. A hardware appliance often costs more than application-based testers, but because the hardware that the vulnerability scanning software sits on is beefier than the dedicated machine that organizations host software versions on, it can pay off. Options include SecPoint's Penetrator or the SAINTbox from SAINT Corp.

As with most things security-related, the right choice varies from organization to organization.

Some security professionals purchase a physical appliance because the software was created specifically for the machine it resides on. There's considerable value in this -- the end user rarely encounters a driver problem or any other issue at a low level on the stack. More often than not, physical appliances have a plug-and-play quality that application-based vulnerability scanners can't match.

The other side of the coin is cost. In many cases, application-based vulnerability scanners are no less effective than their hardware counterparts at a lower cost. If a company purchases a mainstream application to test security on a relatively mainstream network infrastructure, then drivers shouldn't cause problems. Companies such as Tenable Network Security and Rapid7 offer products verified to be compatible with common OSes and hardware. If your organization keeps its data center infrastructure up to date and mainstream, then an application-based vulnerability scanner saves money without any functionality downsides.