In the lab, it detected some rhost-based trust relationships within several of our SSH (Secure Shell) configurations. In contrast, Internet Scanner is completely ignorant of SSH. If Secure Networks adds more functionality to its report engine, such as suggestive repair measures and further reading, and adds a little more versatility on the scanning side, Internet Scanner would have strong competition. Ballista finds most of the holes but, since it provides no suggestions, you will need to implement the fixes on your own.

Lacking an easy way to sort through all this data, Ballista will leave you somewhat overwhelmed. In the lab, it worked with one of our SPARC units, forcing it to divulge a tremendous amount of routing information via SNMP and ROUTEd. The other products we reviewed missed this data entirely, and we almost wished Ballista had, too; we had to sift through the first 20 pages of MIB dumps and route tables without a filtering mechanism.

Ballista's number of low-threat warnings was a similar shortcoming. We were curious about one particular Unix host for which Internet Scanner had flagged nine warnings and Ballista detected 19. One of Ballista's warnings involved information that was divulged via telnet banner. Digging deeper, we found that the

offending host offered a single, one-line message to anyone attempting authentication: "All unauthorized users will be placed in a dark room with a chicken." Without additional detailed information, administrators lacking in-depth security knowledge could be left scratching their heads regarding such red flags.

Ballista offers a few extraordinary features, including tools for proactive password cracking. This is a welcome feature for any Unix veterans who have been limited by NT's lack of native password functionality. And for those in the Unix realm not using cracklib, Ballista also includes a Unix password cracker.

Ballista's customization capabilities are strong. With a tool called CAPE (not to be confused with CASL, Secure Networks' fully bidirectional scripting language), we added various homegrown packets to our network while digging for denial-of-service scenarios. We were pleased to see that Ballista is available on several platforms, including numerous Intel-based Unixes.

We had two primary complaints about Ballista. First, although it's very thorough, Ballista's reporting mechanism needs some serious work. It offers no options for sorting data nor any detailed suggestions for repairing discovered holes. Second, Ballista's checking can be sporadic. It was significantly more detailed than that of other products in the DNS arena, yet it failed to catch a few of the more threatening holes, including the "Red Button" attack.

Using NT's default configuration and anonymous logins, you can gain access to both registry and system files. Although intruders don't immediately obtain administrative access, they can use this method as a stepping-stone.