our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

To view the Report card.He reached for a firewall but realized it was only part of the solution. IDS (Intrusion Detection System) technology had not been fully implemented. He turned to his vendor for patches and revisions, but found only a sea of vague hot fixes and dispersed descriptions. Holy exorbitant encounters!

Staying on top of the latest holes and attacks to hit any single OS is becoming practically a full-time job. If your network includes half a dozen OSes and a few router platforms, it's enough to make even a superhero's head spin.

The solution lies not in a skintight bat suit or an all-encompassing firewall, but in a set of next-generation security utilities, such as the security scanners we examined for this review. Evolved from tools such as Farmer and Venema's SATAN and Klaus' ISS, these packages take a snapshot of your network security setup, then use internal checks and patterns to poke and prod at designated hosts, searching for holes or misconfigurations.

We tested four security scanners across multiple sites: Cisco Systems' NetSonar Vulnerability Scanner and Network Mapping System 1.0, Internet Security Systems' (ISS) Internet Scanner 5.0, NETECT's Netective Site 1.0 and Secure Networks' Ballista Security Auditing System 2.4.

We were quite impressed by the overall functionality of these security scanners, however, we were also painfully aware of their immaturity. Each product was particularly strong in at least one area while falling short in several others. Netective was the only product that addressed binary integrity issues and provided truly efficient updates. But Netective and Internet Scanner had cumbersome licensing issues, and most of the reviewed products' reporting mechanisms were inflexible. If only we could combine Internet Scanner's interface and depth of reporting with Ballista's checks and flexibility, Netective's groundwork for push updates and integrity checking, and NetSonar's reporting flexibility, we would have something special.

Internet Scanner receives our Editor's Choice award for one simple reason: It found the holes we were looking for--and detected some we didn't know about--more accurately than the other scanners. Internet Scanner included the most comprehensive set of NT checks, ranging from base denial-of-service checks to "getadmin" vulnerability inspection. It also hacked away at passwords that intruders could easily guess. With a healthy range of Unix checks, low-level IP tests and some knowledge of VAX/VMS holes, Internet Scanner is a very well-rounded product.