Retina Network Security Scanner

Unlike most of the software applications reviewed here, Retina Network Security Scanner by eEye Digital Security is not available as freeware. As it is a highly capable and fully-featured security vulnerability scanner, it is distributed as commercial software. The license pricing for Retina is tiered as follows: $575 to scan 32 IP addresses, $650 for 64 IP addresses, $850 for 128 IP addresses, and $1,650 for 256 IP addresses. These licenses are actually one year subscriptions as Retina will not function after the one-year period is over unless you renew the subscription.

While your subscription period is valid, you can download and install updates for Retina. These updates take two forms: patches for the Retina scanner itself, and vulnerability definition updates that allow Retina to recognize the latest vulnerabilities and exploits. In this way, Retina must be kept up to date in the same way that antivirus scanners do.

Retina must be installed on the Windows operating system; supported versions of Windows run from Windows 2000 to Windows Server 2008. Retina can scan all networked hosts regardless of operating system, however.

Retina is one of the main network scanners used in the Department of Defense (DoD). In March of 2010 eEye was named as the DoD’s “vendor of choice” for providing cyber security solutions.

Retina interface

When you launch Retina you will see the main user interface as depicted below.

Retina version 5.14.1.2454 main interface

Usage options are divided among four interface tabs: Discover, Audit, Remediate, and Report.

Jump to:

Retina main options
Using Retina
Retina ‘Tools’ options
Retina Community Edition
Recommended reading

In the Discover pane you can set up a simple scan to discover live hosts and the ports that are open on them. This is helpful for when you want to scan an entire subnet but aren’t sure which IP addresses are active.

Retina Discover options

The Audit tab is where you enter the parameters for the actual vulnerability scan. You specify the actual target hosts and target ports, the audits that Retina should run (e.g., audits for databases, SANS Top 20, Virtualization, web applications, etc), generic scan options (such as OS detection, reverse DNS on IP addresses, MAC address retrieval, web application and database scanning, and enumeration customization), and lastly, the credentials the scan should use. Entering valid administrative/root credentials is a key step because you want Retina to be able to authenticate on the target hosts to fully access their internal settings and software version levels.

Retina Audit tab - Target selection

Retina Audit tab - Port selection

Retina Audit tab - Audit selection

Retina Audit tab - Options selection

Retina Audit tab - Credential selection

The Remediate tab is where you can generate a basic report of what Retina found during its scan which also contains suggestions for remediating the security weaknesses. You can have the scan results sorted by machine (host), by vulnerability, or by CVE/IAV findings. Vulnerabilities can be sorted by name, risk, or severity code. You can also specify the level of detail and display options such as page breaks and optional job metrics or detailed audit status. Once the remediation report is generated and displayed within Retina, you can export it to HTML or Word .doc format.

Retina Remediate tab - Filter selection

Retina Remediate tab - Option selection

The Report pane is where you can generate more formal reports compared to the Remediate pane. You can have Retina issue executive, summary, vulnerability export, non-compliant, access, and PCI compliance. Once you have chosen report format you want, you can then select the various components that should appear in the report, such as top vulnerabilities, top open ports, top running services, DNS names, MAC addresses, etc. All reports can be exported to HTML or Word .doc format. ‘Summary’ reports can also be exported to .txt format; ‘Vulnerability’ and ‘Non-compliant’ reports can be exported to XML format (‘Vulnerability’ can go to CSV as well).

Retina Report tab - Type selection

Retina Report tab - Option selection

Retina main options

In the left pane you can click Options to configure Retina to meet your preferences. The Options interface contains four tabs of its own: General, Event Routing, Scanner, and Management.

General – here you can specify if Retina should maintain a log of its operations. You can also set Retina to check for updates at certain times.

Event Routing – If you want Retina to send its log reports to an REM or Retina CS log server, you can enable this setting and specifiy which types of logs Retina should send. REM and Retina CS are centralized threat management consoles for security events.

Scanner – here you can specify the maximum number of target hosts Retina should scan at one, the timeout for ping replies, and global scan restrictions (which enable you to specify at what times Retina can or cannot be run).

Central Policy – if there are a REM Events Manager or Retina CS server on your network, you can configure Retina as a client to comply with any policies or configurations pushed down from above.

Retina Options interface

Using Retina

After you understand the Retina usage and configuration options described above, you are ready to launch a scan against live network hosts. Here are the steps to do so.

Let’s say you want to scan all the hosts in a 192.168.1.x network (which would take a 255.255.255.0 subnet mask). However, you are not sure which IP addresses are active in this range. In the Discover tab, select ‘Targets’ and then choose ‘IP Range’. Enter 192.168.1.1 to 192.168.1.254. Alternatively, you could choose ‘CIDR notation’ and enter 192.168.1.1/24. After you have entered the targets, click ‘Discover’. After this initial scan is done, hold down the Ctrl key and click each live host. When you’re done, right-click a selected host and choose “Scan selected items”.

The selected hosts will automatically appear as targets under the Audit tab. Now enter a file name for the output and a descriptive job name to identify this scan within Retina (helpful for when you run many scans). Click through the left-hand Audit sidebar to specify the ports, audits, options, and credentials for the scan to utilize (all described above). When finished, click ‘Scan’ to initiate the scan. Depending on the number of targets and the amount of configured options, the scans may take quite some time to complete.

When the scan is over you will have the opportunity to view and display the results in many different ways under the Remediate and Report tabs (both described above).

If you need more guidance, visit the eEye Retina support forum and read the following two articles:

Retina ‘Tools’ options

On the Retina toolbar under ‘Tools’ you can access many additional Retina features, such as a scan creation wizard, an audits wizard, and a built-in wireless network scanner. Under ‘Tools’ you can also access interfaces for creating your own groups based on IP address, audit type, credentials, and ports. You can also customize the default audits to meet your liking (for example, if you want Retina to list an account lockout threshold over 10 or more as a finding instead of the default value of 5).

Retina audit wizard interface

Retina Community Edition

If you want to try Retina for free, have a look at Retina Community Edition (software available here). First released in April 2011, Retina CE is a basic, scaled back version of the commercial product that will give you the opportunity to experiment with the application. The actual differences between the two are spelled out in this comparison.