Re: Vulnerability Assessment


First of all I would like to thank everyone in this list who replied to
my message and gave enough different perspectives, I really appreciate
it. Thankyou very much.

Currently we are using Nessus, nmap, nc, Metasploit, and obviously
ethereal (I cant breathe without it), for all the Vulnerability
Assessment exercises. Security dept. need to entertain Operations dept.
and Audit Dept. separately; Giving them compliance report with certain
level of authenticity and trust, with specific solutions as well (taking
care of change management process, also like what need to be updated and
what not). We have 20,000 local IPs and 8 public. With current situation
its quite difficult to manage the reporting and change tracking; the
whole automation of this process, and giving the reasons to audit why
and what we have communicated to. All records has to be maintained.

I have evaluated almost all possible products / solutions / services,
every person has suggested. For products like ISS, Retina, CoreImpact
etc, are not feasible due to various technical and policy based reasons.
Also some support issues in the operating city.

We are not debating about what tools and processes can make up a
credible infrastructure for security management. But to a very very
specific area of vulnerability assessment, infact vulnerability
assessment automation.

Please give technical answers that can really help in taking the
decision. The comparative answers I got from most persons in this list,
doesn't satisfy at all, because I have no concern what market share and
cliental one product have, etc. Also most of the persons comparing
QualysGuard and Foundstone looks like that they worked or evaluated only
one of the product, or got biased by some marketing strategy.

Anyway, here is the cons of both products with vendor justifications:

Data is stored at The vendor mentioned that the data and
maps stored are in encrypted format, encryption key is based on the
users password. In case if you forget the password, a new account will
be created, the old account with whatever data it holds is dumped /
deleted. Whereas, Foundstone store all data on its local hard disk. The
vendor is willing to sign-up and legal NDA for information disclosure.

McAfee Foundstone:
Cannot scan public IPs. It is quite possible to scan public IPs from
DMZ, but again the Foundstone doesn't target those audience. Also while
scanning from DMZ one cannot strictly check the firewalls and other
devices configurations from alien perspective. QualysGuard is good at

Note: Vulnerability database is updated locally before each new scan (if
required), and hence need internet availability to download/update the

Now the pros part, QualysGuard has far better reporting compared to
Foundstone also from Retina and Nessus. Both QualysGuard and Foundstone
support threat correlation (Foundstone comes with additional cost for
this module, not by default). Both support risk management matrix, and
role base user access control.

I have not considered the scan speed and network utilization, of the two
products while evaluating, so if someone can give his/her input in this
regards, or any other technical consideration. I look forward and
appreciate if someone can really help is selecting one from the two.

Best Regards,

| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/