People love to argue about scanner speed. This is probably because it is the one aspect of network auditing that is the most understandable to the greatest number of users. It is also the simplest concept to understand. With this in mind we would like to add our philosophy on the subject.

It is obvious that in an the case of a security audit time spent auditing a single host is not as crucial a parameter as how complete and accurate the scan is. Another important factor is that scans can be scheduled to run unattended and do not require n operator sitting in front of the system running the scan at all times. Scans can conducted during non-working time, maybe at night when more bandwidth is available and users or hosts are not as easily disrupted. This the strongest case for taking advantage of automated functions (if your software has them).

One should also understand that the overall performance of any security scanner should be weighted heavily on the accuracy and completeness of the scan results. In an area as complex and important as the security of an organizations electronic assets quality becomes an inevitable sacrifice to the pursuit of speed. In the security arena there are very few, if any, actual situations that justify this kind of compromise. How smart is it to use a scanner (or scanner configuration) that generates results very quickly, but that are likely to be incomplete and not entirely trustworthy? Not smart at all.

The single most important factor in the evaluation of scanner performance should not be based on its scanning speed for any random subject (host, service, etc.). Instead, we should evaluate its total productivity. This concept takes into consideration many different factors that will, in the end, determine the overall return on investment, including employee time spent conducting the scan. For instance, scan that is very fast but yields a higher percentage of false positive will, in effect, generate higher amount of unproductive time searching for vulnerabilities that do not exist, therefore costing more.

We feel the most significant factors that should be considered when evaluating the performance of any security scanner are:

1. How comprehensive and robust is the scanning Engine?
2. How accurate are the results (including false positives)?
3. How flexible is the configuration and automation of the scanner?
4. How well does the scanner manage multiple host scans?
5. How Understandable are the resulting reports and are they complete and fully referenced?
6. How well designed is the user interface?

Maxpatrol developers were concerned with these points from the concept to completion of the product thus, Maxpatrol offers no single, typical scanning speed. Scanning speed is determined by many variables including the profile (scan settings) which can have a noticeable impact on the scanning speed for a particular host. Scan times can range from 2 minutes to 2 hours per host depending on the profile and configuration of the host being scanned. The Maxpatrol installation package contains pre-configured scan profiles for use in a variety of typical situations. Keeping in mind what we have mentioned above, we recommend that you select the best profile for your particular situation, not the one that runs the fastest.