During our tests, a new data file with new checks was released, and we watched as our scanner was updated automatically. Combine this with a PGP (Pretty Good Privacy) signature, and you have a nonintrusive, robust, secure, timely package, with a design that gets a big thumbs up in our lab.

Netective's binary integrity-checking feature outclassed the competition. If you're familiar with the Unix tripwire package, you'll appreciate this. Infiltrators frequently replace key files and programs with modified versions, opening holes across the entire system. Without reinstalling a compromised system from scratch, it is very difficult to detect or recover from these "root kit"-like attacks. To fight this problem, Netective's integrated binary-level scanner looks at all files and checks their signatures. Forging these signatures and thereby fooling the scanner is close to impossible, thanks to this feature.

In the lab, we scanned a newly installed Sun Netra running Solaris 2.6. Using the "update" mechanism, we instructed Netective to build a new signature set using our current distribution. We then replaced the ping program with a modified version--a trojan ping, which granted root access to anyone familiar with the proper trigger technique. Running the scan again, Netective flagged the new binary as suspicious and suggested we look into it.

Netective was the only product we reviewed that offered such thorough functionality, but it runs exclusively on Solaris-based systems. In the next version, Netective plans to include a scalable binary integrity-checking system that uses deployable agents, which can report information to a central scanner.

If we dared to dream, not even kryptonite could stop the combination of Netective's engine, Ballista's flexibility and Internet Scanner's security database.

Greg Shipley is a consultant working in the Chicago area. He can be reached at gshipley@nwc.com.

Setting Up Our Testing Environment
Before we tested these security scanners, we considered the needs of any security-conscious administrator--accurate scanning, informative reporting, an updated exploit database and an efficient scanning process. With these goals in mind, we created and used environments found in the modern-day enterprise.

Our environment consisted of an array of devices and platforms: Bay Networks and Cisco Systems routers, hubs and switches; and AIX, Linux, NetWare, Solaris and Windows NT. Not only did we have a diverse environment on the OS level, but we worked with assorted versions. We paired Cisco's IOS (Internetwork Operating System) 9.0 with IOS 11.2, AIX 4.1 with AIX 3.1 and NetWare 3.12 with NetWare 4.1. We added machines running production jobs and machines carefully crafted with known security holes. We ensured that some of the OSes were patched and hot-fixed, while others contained only their base installations. Using a mix of production and hand-crafted machines, we combined a set of known holes with unknown problems and let the scanners do the rest.