looks convenient and somewhat topical. -----Original Message----- From: NW on Application Service Providers [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 11, 2001 6:40 PM To: [EMAIL PROTECTED] Subject: Hosted vulnerability scanning NETWORK WORLD NEWSLETTER: JEB BOLDING on APPLICATION SERVICE PROVIDERS 07/11/01 - Today's focus: Hosted vulnerability scanning Dear Bradford Maxwell, In this issue: * A look at Vulnerabilities.org * Links related to ASPs * Featured reader resource _______________________________________________________________ TECHNOLOGY & VENDOR NEWS ALERTS Sign-up to receive e-mail news alerts on LANs, Storage, Network/Systems Management, The Edge, Cisco and Microsoft. Keep abreast of the most significant developments of the week in these specific technologies and for these vendors! Subscribe today at http://nww1.com/go/ad082.html _______________________________________________________________ Today's focus: Hosted vulnerability scanning By Jeb Bolding Sometimes while surfing, I run into product ideas that strike my fancy. I recall the first time I came across Keynote and thought it was a great service. I used it as a sales tool to help us prove our fast download times and consistent availability. We also used it as a justification, in connection with customer volume, to set up co-location facilities in primary market locations so that we could ensure consistent customer usability for our services. I wasn't sure how services such as Keynote, made money, after all, latency measurement is important to some extent, but I couldn't really use the data I got from Keynote to help solve IT problems. Most of the issues that Keynote highlighted were problems outside the firewall, an area over which I had virtually no control. Recently I found another hosted service that strikes me much the same way that Keynote originally did. It's called VVulnerabilities.org http://www.vulnerabilities.org/), a security-oriented hosted service. Vulnerabilities.org basically does port-scanning of IP addresses that you provide to determine where your port holes (not to be confused with those in a ship) may be. You give it an e-mail address of where to send the report and once it's done, you get about six pages or so (depending on how many vulnerabilities you have) outlining all the problem areas the service found. The engines behind the scans are based on Nessus and Nmap, both scanning software that are open-source, and rated fairly high in turning up weaknesses in your port configurations. What Vulnerabilities.org has done is add a Web interface on top of those two tools. Specifically, the Nmap scan runs a TCP/UDP portscan on the IP address that you provide to Vulnerabilities.org. The Web site notes that this is the lightest and fastest scan. It will list the most open TCP/UDP ports on your server, and give a brief explanation of the function and problems that typically occur based upon the port configuration at the site that you scan. The other, Nessus scans for open ports on your system, and then, according to Vulnerabilities.org, tests for more than 580 security configuration problems on each open port. But BEWARE, these tests will push servers to the wall and try to crash them if possible. Basically, if things don't fall apart during this test, you should be in pretty good shape. This is also where Vulnerabilities.org makes money. If there is a problem it offers to advise you on how to find the right patches for your servers, covering several operating system platforms and hardware. It also gives you architectural and product advice for securing your systems. After giving Vulnerabilities.org two IP addresses to hit, and the name of our Exchange server, I waited to see what I got back. About 20 minutes later, I got an automated e-mail listing the problems. Not assuming too much, I took that data down to our main IT person for his perusal. All in all, he said a couple of times, " I know about patches for this, I really should fix that problem," and twice, "I hadn't thought about that, I need to check into it and get more information." For something that's free, I thought the outcome was reasonably well worth my time and our IT person's time since there were a couple of unknown problems out there that could have been exploited had we not learned about them. To me, Vulnerabilities.org's ASP business is a pretty good model. It is trying to solve a straightforward problem. There's a free teaser offer to get you to try it out, and once you're hooked, the service seems to solve recognizably valuable problems. Altogether, Vulnerabilities.org has a clear value proposition, in my opinion. _______________________________________________________________ To contact Jeb Bolding: Jeb Bolding is senior consultant with Enterprise Management Associates in Boulder, Colo., an analyst and market research firm focusing exclusively on enterprise management. Bolding has 10 years of experience in the network systems industry, most recently with eCollege.com, an ASP for higher education, where he was director of product development. He can be reached at mailto:[EMAIL PROTECTED]. _______________________________________________________________ RELATED EDITORIAL LINKS Sense of Security http://www.senseofsecurity.com/audits.asp Hacker Whacker http://www.hackerwhacker.com/ Security Space http://www.securityspace.com/sspace/index.html Hosting glut should mean bargains for companies Network World, 07/09/01 http://www.nwfusion.com/news/2001/0709glut.html Breaking ASP news from Network World, updated daily: http://www.nwfusion.com/topics/asp.html Archive of the ASP newsletter: http://www.nwfusion.com/newsletters/asp/index.html ______________________________________________________________ FEATURED READER RESOURCE Technology Primers Need background information on a specific technology? Check out the Technology Primer section of Network World Fusion: http://nww1.com/go11/0611RESOURCE.html. Covering a range of topics from ASPs and Convergence to Security and Gigabit Ethernet, the page offers links to the best resources from Network World and around the 'Net. Featuring overviews, tutorials, news, publications, forums and more, it's a one-stop guide to a host of technologies. _______________________________________________________________ May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.nwwsubscribe.com/nl _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp To unsubscribe from promotional e-mail go to: http://www.nwwsubscribe.com/ep To change your e-mail address, go to: http://www.nwwsubscribe.com/news/scripts/changeemail.asp Subscription questions? Contact Customer Service by replying to this message. Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: mailto:[EMAIL PROTECTED] For advertising information, write Jamie Kalbach, Fusion Sales Manager, at: mailto:[EMAIL PROTECTED] Copyright Network World, Inc., 2001 ------------------------ This message was sent to: [EMAIL PROTECTED] ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************